Version 18 (modified by Fran Boon, 13 years ago) ( diff )


This page hosts the detailed specification for the Blueprint for the Authentication & Access.

Authentication is the process that verifies the identity of a user.
Authorization provides controlled access to protected resources.

S3 builds on the default T2 AAA system:

Anonymous access is currently granted for all Read operations, with Create/Update/Delete requiring a user to be Authenticated: t2.logged_in

  • T2 can extend this by protecting resources with t2.have_membership() (functional check) & t2.have_access() (record-level security)
  • we should probably support this by adding hooks into the RESTlike controller

The system supports Self-Registration, which won't be appropriate for all deployment scenarios.
To disable it requires:

  • Removing the link from the menu in layout.html
  • Disabling the function in controllers/

If self-registration is disabled then users maintenance can be done via appadmin until we develop our own UI.
This will also be the case for adding extra roles anyway.


We use t2_group table for Contact Lists information

We use s3_role table for Security access

  • roles initialised in
  • module writers need to add any required roles there

Membership of roles is controlled via the Many-to-Many table: s3_roleholder

The specification we should be working to implement is in the Wiki:

(NB The Vol module currently uses a separate method)

We also want to look at linking the AAA t2_person table with the Person Registry's person table

S2 supports OpenID (as does Launchpad ;) ), so that would be good to support & looks easy:

T3 defines a simple t2.is_admin defined in

is_admin=(t2.logged_in and (not settings.administrator_emails or t2.person_email in settings.administrator_emails))
  • Function components protected with: if not is_admin: t2.redirect('index',flash=T('Not Authorised'))
  • appadmin protected in the same way :)


Note: See TracWiki for help on using the wiki.