Version 16 (modified by 14 years ago) ( diff ) | ,
---|
BluePrint for Authorization
User Stories
- A Developer needs to be able to restrict access to a Module
s3.modules in01_modules.py
- Add Controller check as well as menu check.
- Configure permissions in
000_config.py
instead of01_modules.py
?- Change
deployment_settings.modules
from a list of strings to a Storage()# Need to define Roles in dict for visibility by modules before inserted into DB deployment_settings.auth.roles = { 1 : "Administrator", 2 : "Authenticated", .... 6 : "AdvancedJS", } deployment_settings_modules = Storage( gis = Storage( name_nice = "Mapping", description = "Situation Awareness & Geospatial Analysis", readable = None, # All Users (inc Anonymous) can see this module in the default menu & access the controller writable = None, # All Authenticated users can edit resources which aren't specially protected module_type = 2, # Used to locate the module in the default menu resource_readable = Storage( apikey = 1, # This resource is only visible to Administrators ) resource_writable = Storage( layer_js = deployment_settings.auth.roles["AdvancedJS"], # This resource requires the 'AdvancedJS' role to edit (or admin) ) ), ... )
- Change
- A Developer needs to be able to restrict access to a Function
Decorator function : @auth.requires_membership("Administrator")- doesn't support OR (we could easily write our own function to do this, though)
- A Developer needs to be able to restrict access to a resource
- REST controller can be blocked via a Decorator
- Full security policy can be invoked, but this is painful (based on protected by default & granted manually) & untested within S3 recently
- We could check for what other functions can access data? Sync. Hard to maintain though.
- Need a new method: open by default & restricted manually
- Needs to be a DAL-level method since not all accesses go via S3XRC.
- Use an
auth_permission
table similar to Web2Py 'full' for tables? - Set within
000_config.py
, along with module permissions?
- A Developer needs to be able to restrict access to a record
- Add 2 reusable
multiple=True
fields to each table which needs this:reader_id
&writer_id
combined aspermissions_id
- Full backward compatibility since they default to None
- reader_id checked with a new API function (called from shn_read() & shn_list(), but also available for other functions)
- combine with the
deleted==True
check?- makes it easier to then replace that check with an 'inactive' field which is a date instead of a boolean, so that records can be set to expire (as well as giving us easy access to know when a record was deleted)
- Option 1: Do the check alongside deleted as part of a big JOIN
def shn_accessible_query(table): """ Modified version of current function from models/01_crud.py """ deleted = (table.deleted == None) try: user_id = auth.user.id _memberships = db.auth_membership memberships = db(_memberships.user_id == user_id).select(_memberships.group_id) except: memberships = None roles = [] for membership in memberships: roles.append(membership.group_id) if 1 in roles: # Admins see all data query = deleted else: # Fields with no restriction accessible = (table.reader_id == None) for role in roles: #accessible = accessible & (table.reader_id == str(role)) & (table.reader_id.like('%d|%' % role)) & (table.reader_id.like('%|%d|%' % role)) & (table.reader_id.like('%|%d' % role)) accessible = accessible & (table.reader_id.like('%|%d|%' % role)) query = deleted & accessible return query def user_function: table = db[tablename] available = shn_accessible_query(table) query = available & query
- Advantages:
- Combines the deleted into single API call
- Single JOIN for optimal DB performance (Assumption needs testing)
- Advantages:
- Option 2: Do the check in Python after the initial query has returned
- Advantage: Might have better performance than complex DB string?
- Disadvantage: More records pulled from DB than necessary
- combine with the
- writer_id checked with a new API function (called from shn_update(), but also available for other functions)
- UI to manage the fields.
- We expect relatively few groups per instance, so can use the checkboxes widget?
- Have a single checkbox for 'Restrict access' which then opens out the 2 fields.
- Add 2 reusable
Specific Examples
- A Person's Contacts shouldn't be visible by default.
- Authenticated is OK
- Simply add the Authenticated group (2) to the table (or records in the table?)
This requires all authenticated users to be added to the 'Authenticated' group
- Authenticated is OK
- A Person's Subscriptions shouldn't be visible by default.
- Admin or themselves is OK
- This requires the default of adding 1 group per user!
- We therefore filter these out of our views?
- This requires the default of adding 1 group per user!
- Admin or themselves is OK
- An Admin should be able to restrict access to records to just those within a certain GIS location (e.g. Country or Region)
- If access to a record is restricted then access to messages relating to that record should also be restricted
- unless routed somewhere visible as well!
- onaccept on message routing (tagging) to check if the only tags are on restricted resources...if they are then restrict the message too.
- Some tables should be writable by unauthenticated users (writable=|0|)
- Need special handling for this in shn_create/shn_update?
- Might need to differentiate the 2 (can deposit new but not edit existing)
- Need special handling for this in shn_create/shn_update?
Note:
See TracWiki
for help on using the wiki.