| 60 | | Anonymous access is currently granted for all Read operations, with Create/Update/Delete requiring a user to be Authenticated: {{{auth.is_logged_in()}}} |
| 61 | | * Web2Py can extend this by protecting resources with {{{auth.has_membership()}}} (table level security which can be separated for C/R/U/D) & {{{auth.has_permission()}}} (record-level security) |
| 62 | | * Field-level security example: http://groups.google.com/group/web2py/browse_thread/thread/e4b54f08ec6b66f9 |
| 63 | | * we should probably support these by adding hooks into the [wiki:BluePrintREST RESTlike controller] |
| | 60 | There are 2 modes for Authorisation right now:[[BR]] |
| | 61 | * simple: Anonymous access is currently granted for all Read operations, with Create/Update/Delete requiring a user to be Authenticated |
| | 62 | * full: Uses Web2Py's Role-Based Access Control for both table-level (can be separated for C/R/U/D) & record-level security (http://groups.google.com/group/web2py/browse_thread/thread/e4b54f08ec6b66f9) |
| | 63 | |
| | 64 | NB 'full' mode require each permission to be explicitly granted, so is currently difficult to administer.[[BR]] |
| | 65 | This can be made easier by allowing all basic permissions to start with & then refining down from there:[[BR]] |
| | 66 | * {{{for table in db.tables: auth.add_permission(group_id,'read',db[table])}}} |
| | 67 | |
| | 68 | Whether a user is authorised or not is defined using {{{has_permission()}}} in {{{models/__db.py}}} & called by the [wiki:BluePrintREST RESTlike controller] |
