This page hosts the detailed specification for the [https://blueprints.launchpad.net/sahana3/+spec/authentication-authorization Blueprint for the Authentication & Access]. Authentication is the process that verifies the identity of a user.[[BR]] Authorization provides controlled access to protected resources. S3 currently uses the default T2 AAA system at a very basic level: {{{t2.logged_in}}} * http://trac.sahana3.org/wiki/DeveloperGuidelinesAuthenticationAccess We use t2.group for Contacts information We use s3.role for Security access However this won't be appropriate for all deployment scenarios.[[BR]] * The main issue is that the current system supports self-registration...can easily diasble that to enforce manual user setup, which /can/ just be via appadmin (low priroity to make a nicer UI) We need to extend to User Roles. We need to extend to Data Security. The specification we should be working to implement is in the Wiki: * Proposed Trunk: http://wiki.sahana.lk/doku.php?id=dev:new_acl * Current Stable: http://wiki.sahana.lk/doku.php?id=dev:security * Old: http://wiki.sahana.lk/doku.php?id=dev:authorization (NB The Vol module currently uses a separate method) This should (mostly?) be possible using other T2 methods: * {{{t2.have_membership()}}} * {{{t2.have_access()}}} This should probably be done by hooking into the [wiki:BluePrintREST RESTlike controller] We also want to look at linking the AAA t2_person table with the Person Registry's person table S2 supports OpenID (as does Launchpad ;) ), so that would be good to support & looks easy: * http://openidenabled.com/python-openid/ T3 defines a simple {{{t2.is_admin}}} defined in {{{db.py}}}: {{{ is_admin=(t2.logged_in and (not settings.administrator_emails or t2.person_email in settings.administrator_emails)) t2.is_admin=is_admin }}} * Function components protected with: {{{if not is_admin: t2.redirect('index',flash=T('Not Authorised'))}}} * appadmin protected in the same way :) * Working with Realms, Users, Groups, and Roles: http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxj.html ---- BluePrints