Changes between Version 28 and Version 29 of BluePrintAuthorization


Ignore:
Timestamp:
06/19/10 16:56:24 (14 years ago)
Author:
Fran Boon
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • BluePrintAuthorization

    v28 v29  
    2424        resources = Storage(
    2525            apikey = {
    26                     read : 1,     # This resource is only visible to Administrators
     26                    read : "|1|",     # This resource is only visible to Administrators
    2727                },
    2828            layer_js = {
    29                     create : deployment_settings.auth.roles["AdvancedJS"],    # This resource requires the 'AdvancedJS' role to create (or admin)
    30                     delete : deployment_settings.auth.roles["AdvancedJS"],    # This resource requires the 'AdvancedJS' role to delete (or admin)
    31                     update : deployment_settings.auth.roles["AdvancedJS"],    # This resource requires the 'AdvancedJS' role to update (or admin)
     29                    create : "|%d|" % deployment_settings.auth.roles["AdvancedJS"],    # This resource requires the 'AdvancedJS' role to create (or admin)
     30                    delete : "|%d|" % deployment_settings.auth.roles["AdvancedJS"],    # This resource requires the 'AdvancedJS' role to delete (or admin)
     31                    update : "|%d|" % deployment_settings.auth.roles["AdvancedJS"],    # This resource requires the 'AdvancedJS' role to update (or admin)
    3232                }
    3333        ),
     
    128128        roles.append(membership.group_id)
    129129
    130     # Check if table is restricted
    131130    table = db[tablename]
     131    # Check if table is restricted (Options 1 & 2)
    132132    if 1 in roles:
    133133        # Admins see all tables
     
    145145        #else:
    146146        #    authorised = True
     147
    147148        # Option 2
    148149        module, resource = tablename.split("_", 1)
     
    153154       
    154155        if restriction:
    155             if restriction in roles:
    156                 authorised = True
    157             else:
    158                 authorised = False
     156            authorised = False
     157            restrictions = re.split("\|", restriction)[1:-1]
     158            # Assume we generally have fewer restrictions than roles
     159            for restriction in restrictions:
     160                if restriction in roles:
     161                    authorised = True
     162               
    159163        else:
    160164            # No restriction
    161165            authorised = True
    162         # Option 3
    163         # - not necessary!
    164 
     166
     167    # Options 3:
     168    #if record_id:
     169    # Options 1 & 2:
    165170    if record_id and authorised:
     171        record = db(table.id == record_id).select(table.deleted, table.reader_id, table.writer_id, limitby=(0, 1)).first()
    166172        # Check if record is deleted
    167         record = db(table.id == record_id).select(table.deleted, table.reader_id, table.writer_id, limitby=(0, 1)).first()
    168173        if record.deleted:
    169174            authorised = False
    170175        elif 1 in roles:
     176            # Admin is always authorised to view undeleted data (deleted data accessible through alternate UI)
    171177            authorised = True
    172178        else:
     179            # Need to check the record's auth fields
    173180            if name == "read":
    174181                if not table.reader_id:
     
    200207return authorised
    201208}}}
    202    * Disadvantage: Slow
    203209
    204210  * UI to manage the fields.
     
    224230    table.field.readable = False
    225231}}}
    226    * NB If doing this then the roles checks inside {{{shn_has_permission()}}} & {{{shn_accessible_fields()}}} should be modified to read this global value
     232   * NB If doing this then the roles checks inside {{{shn_has_permission()}}} & {{{shn_accessible_fields()}}} should be modified to read this global value instead of more DAL queries (even cached)!
     233
     234 * A Developer should be able to restrict access to records to just those within a certain '''GIS Location''' (e.g. Country or Region)
     235  * Add a special role 'Geographic' which can be added to {{{writer_id}}} (& maybe {{{reader_id}}} although less use case for this)
     236   * Patch {{{shn_has_permission()}}} & maybe {{{shn_accessible_query()}}} to spot this special case &, if no other roles match, then do a lookup in another table (or deployment_settings dict)
     237
     238 * A Developer should be able to restrict access to records to just those within a certain ''Organisation'''
     239  * This could be all members of the Organisation or just the 'Focal Point'
     240  * Add a special role 'Organisation' which can be added to {{{writer_id}}} (& maybe {{{reader_id}}} although less use case for this)
     241   * Patch {{{shn_has_permission()}}} & maybe {{{shn_accessible_query()}}} to spot this special case &, if no other roles match, then do a lookup in another table (or deployment_settings dict)
     242
     243 * A Developer should be able to restrict access to records to just those which the person created
     244  * Add a special role 'Creator' which can be added to {{{writer_id}}} (& maybe {{{reader_id}}} although less use case for this)
     245   * Patch {{{shn_has_permission()}}} & maybe {{{shn_accessible_query()}}} to spot this special case &, if no other roles match, then do a check between {{{auth.user.id}}} & {{{table.created_by}}}
    227246
    228247=== Specific Examples ===
     
    245264     * Currently this requires modifying {{{shn_register()}}} in {{{modules/sahana.py}}}
    246265
    247  * A Developer should be able to restrict access to records to just those within a certain GIS location (e.g. Country or Region)
    248   * Add a special role 'Geographic' which can be added to {{{writer_id}}} (& maybe {{{reader_id}}} although less use case for this)
    249    * Patch {{{shn_has_permission()}}} & maybe {{{shn_accessible_query()}}} to spot this special case &, if no other roles match, then do a lookup in another table (or deployment_settings dict)
    250 
    251  * A Developer should be able to restrict access to records to just those within a certain organisation (or the Focal Point for the organisation)
    252   * Add a special role 'Organisation' which can be added to {{{writer_id}}} (& maybe {{{reader_id}}} although less use case for this)
    253    * Patch {{{shn_has_permission()}}} & maybe {{{shn_accessible_query()}}} to spot this special case &, if no other roles match, then do a lookup in another table (or deployment_settings dict)
    254 
    255  * A Developer should be able to restrict access to records to just those which the person created
    256   * Add a special role 'Creator' which can be added to {{{writer_id}}} (& maybe {{{reader_id}}} although less use case for this)
    257    * Patch {{{shn_has_permission()}}} & maybe {{{shn_accessible_query()}}} to spot this special case &, if no other roles match, then do a check between {{{auth.user.id}}} & {{{table.created_by}}}
    258 
    259266 * If access to a record is restricted then access to messages relating to that record should also be restricted
    260   * i.e. block subscription
    261267  * unless routed somewhere visible as well!
    262   * onaccept on message routing (tagging) to check if the only tags are on restricted resources...if they are then restrict the message too.
     268  * block subscription
     269  * onvalidation on message routing (i.e. tagging) to check if the only tags are on restricted resources...if they are then restrict the message too.
     270   * onvalidation not onaccept so that only 1 DAL update() is done
    263271
    264272 * Some tables should be writable by unauthenticated users (writable=|0|)