Changes between Version 7 and Version 8 of BluePrintAuthorization


Ignore:
Timestamp:
06/18/10 17:41:45 (15 years ago)
Author:
Fran Boon
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • BluePrintAuthorization

    v7 v8  
    55  * Add Controller check as well as menu check.
    66  * Configure permissions in {{{000_config.py}}} instead of {{{01_modules.py}}}?
     7   * Change {{{deployment_settings.modules}}} from a list of strings to a list of dicts
     8{{{
     9deployment_settings_modules = Storage(
     10    name = "gis",
     11    name_nice = "Mapping",
     12    readable = None,
     13    writable = None,
     14    description = "Situation Awareness & Geospatial Analysis",
     15    module_type = 2,
     16    resource_readable = Storage(
     17        layer_js = None,
     18    )
     19    resource_writable = Storage(
     20        layer_js = "|6|",        # How to look up this 'magic' number before we've got a database yet? :/
     21    )
     22)
     23}}}
    724 * A Developer needs to be able to restrict access to a Function
    825  * Decorator function - although it doesn't support OR (we could easily write our own function to do this, though)
    926 * A Developer needs to be able to restrict access to a resource
    1027  * REST controller can be blocked via a Decorator
    11   * Full security policy can be invoked, but this is painful/untested within S3 recently
     28  * Full security policy can be invoked, but this is painful (based on protected by default & granted, whereas we want open by default & restricted)/untested within S3 recently
    1229  * We could check for what other functions can access data? Sync. Hard to maintain though.
    13   * Need a new method. Do all accesses go via S3XRC? If not, then needs to be a DAL-level method! Use the Web2Py 'full' for tables but not records?
     30  * Need a new method. Do all accesses go via S3XRC? If not, then needs to be a DAL-level method! Use an auth_permission table like Web2Py 'full' for tables? Set within 000_config.py, along with modules?
    1431 * A Developer needs to be able to restrict access to a record
    1532  * Add 2 reusable multiple=True fields to each table which needs this: {{{reader_id}}} & {{{writer_id}}} combined as {{{permissions_id}}}
     
    2037   * Option 1: Do the check alongside deleted as part of a big JOIN
    2138{{{
    22 def shn_accessible_query(user, table):
     39def shn_accessible_query(table):
    2340    """ Modified version of current function from models/01_crud.py """
    2441
    2542    deleted = (table.deleted == None)
    2643
    27     _memberships = db.auth_membership
    28     memberships = db(_memberships.user_id == user).select(_memberships.group_id)
     44    try:
     45        user_id = auth.user.id
     46        _memberships = db.auth_membership
     47        memberships = db(_memberships.user_id == user_id).select(_memberships.group_id)
     48    except:
     49        memberships = None
     50   
    2951    roles = []
    3052    for membership in memberships:
     
    4567def user_function:
    4668    table = db[tablename]
    47     available = shn_accessible_query(user, table)
     69    available = shn_accessible_query(table)
    4870    query = available & query
    4971}}}
     
    7092  * unless routed somewhere visible as well!
    7193  * onaccept on message routing (tagging) to check if the only tags are on restricted resources...if they are then restrict the message too.
    72 
     94 * Some tables should be writable by unauthenticated users (writable=|0|)
     95  * Need special handling for this in shn_create/shn_update?
    7396----
    7497BluePrintAuthenticationAccess