wiki:BluePrintAuthenticationAccess

Version 13 (modified by Fran Boon, 16 years ago) ( diff )

--

This page hosts the detailed specification for the Blueprint for the Authentication & Access.

Authentication is the process that verifies the identity of a user.
Authorization provides controlled access to protected resources.

S3 currently uses the default T2 AAA system at a very basic level: t2.logged_in

We use t2.group for Contacts information

We use s3.role for Security access

However this won't be appropriate for all deployment scenarios.

  • The main issue is that the current system supports self-registration...can easily diasble that to enforce manual user setup, which /can/ just be via appadmin (low priroity to make a nicer UI)

We need to extend to User Roles.

We need to extend to Data Security.

The specification we should be working to implement is in the Wiki:

(NB The Vol module currently uses a separate method)

This should (mostly?) be possible using other T2 methods:

  • t2.have_membership()
  • t2.have_access()

This should probably be done by hooking into the RESTlike controller

We also want to look at linking the AAA t2_person table with the Person Registry's person table

S2 supports OpenID (as does Launchpad ;) ), so that would be good to support & looks easy:

T3 defines a simple t2.is_admin defined in db.py:

is_admin=(t2.logged_in and (not settings.administrator_emails or t2.person_email in settings.administrator_emails))
t2.is_admin=is_admin
  • Function components protected with: if not is_admin: t2.redirect('index',flash=T('Not Authorised'))
  • appadmin protected in the same way :)

BluePrints

Note: See TracWiki for help on using the wiki.