wiki:BluePrintAuthorization

Version 19 (modified by Fran Boon, 11 years ago) ( diff )

--

BluePrint for Authorization

User Stories

  • A Developer needs to be able to restrict access to a Module
    • s3.modules in 01_modules.py
    • Add Controller check as well as menu check.
    • Configure permissions in 000_config.py instead of 01_modules.py?
      • Change deployment_settings.modules from a list of strings to a Storage()
        # Need to define Roles in dict for visibility by modules before inserted into DB
        deployment_settings.auth.roles = {
            1 : "Administrator",
            2 : "Authenticated",
            ....
            6 : "AdvancedJS",
        }
        
        deployment_settings_modules = Storage(
            gis = Storage(
                name_nice = "Mapping",
                description = "Situation Awareness & Geospatial Analysis",
                readable = None,    # All Users (inc Anonymous) can see this module in the default menu & access the controller
                writable = None,    # All Authenticated users can edit resources which aren't specially protected
                module_type = 2,    # Used to locate the module in the default menu
                resource_readable = Storage(
                    apikey = 1,     # This resource is only visible to Administrators
                ),
                resource_writable = Storage(
                    layer_js = deployment_settings.auth.roles["AdvancedJS"],    # This resource requires the 'AdvancedJS' role to edit (or admin)
                )
            ),
            ...
        )
        
  • A Developer needs to be able to restrict access to a Function
    • Decorator function : @auth.requires_membership("Administrator")
      • doesn't support OR (we could easily write our own function to do this, though)
  • A Developer needs to be able to restrict access to a resource
    • REST controller can be blocked via a Decorator
    • Full security policy can be invoked, but this is painful (based on protected by default & granted manually) & untested within S3 recently
    • We could check for what other functions can access data? Sync. Hard to maintain though.
    • Need a new method: open by default & restricted manually
      • Needs to be a DAL-level method since not all accesses go via S3XRC.
      • Use an auth_permission table similar to Web2Py 'full' just for tables?
      • Set within 000_config.py, along with module permissions? (see above example)
  • A Developer needs to be able to restrict access to a record
    • Add 2 reusable multiple=True fields to each table which needs this: reader_id & writer_id combined as permissions_id
      • Full backward compatibility since they default to None
    • reader_id checked with a new API function (called from shn_read() & shn_list(), but also available for other functions)
      • combine with the deleted==True check?
        • makes it easier to then replace that check with an 'inactive' field which is a date instead of a boolean, so that records can be set to expire (as well as giving us easy access to know when a record was deleted)
      • Option 1: Do the check alongside deleted as part of a big JOIN
        def shn_accessible_query(table):
            """ Modified version of current function from models/01_crud.py """
        
            deleted = (table.deleted == None)
        
            try:
                user_id = auth.user.id
                _memberships = db.auth_membership
                memberships = db(_memberships.user_id == user_id).select(_memberships.group_id)
            except:
                memberships = None
            
            roles = []
            for membership in memberships:
                roles.append(membership.group_id)
        
            if 1 in roles:
                # Admins see all data
                query = deleted
            else:
               # Fields with no restriction
               accessible = (table.reader_id == None)
               for role in roles:
                   #accessible = accessible & (table.reader_id == str(role)) & (table.reader_id.like('%d|%' % role)) & (table.reader_id.like('%|%d|%' % role)) & (table.reader_id.like('%|%d' % role))
                   accessible = accessible & (table.reader_id.like('%|%d|%' % role))
               query = deleted & accessible
            return query
        
        def user_function:
            table = db[tablename]
            available = shn_accessible_query(table)
            query = available & query
        
        • Advantages:
          • Combines the deleted into single API call
          • Single JOIN for optimal DB performance (Assumption needs testing)
      • Option 2: Do the check in Python after the initial query has returned
        • Advantage: Might have better performance than complex DB string?
        • Disadvantage: More records pulled from DB than necessary
    • writer_id checked with a new API function (called from shn_update(), but also available for other functions)
    • UI to manage the fields.
      • We expect relatively few groups per instance, so can use the checkboxes widget?
      • Have a single checkbox for 'Restrict access' which then opens out the 2 fields.

Specific Examples

  • A Person's Contacts shouldn't be visible by default.
    • Authenticated is OK
      • Simply add the Authenticated group (2) to the table (or records in the table?)
      • This requires all authenticated users to be added to the 'Authenticated' group
  • A Person's Subscriptions shouldn't be visible by default.
    • Admin or themselves is OK
      • This requires the default of adding 1 group per user!
        • In models/00_settings.py: auth.settings.create_user_groups = False
        • Check using auth.user_group(auth.user.id)
        • Filter these out of our views?
  • An Admin should be able to restrict access to records to just those within a certain GIS location (e.g. Country or Region)
  • If access to a record is restricted then access to messages relating to that record should also be restricted
    • unless routed somewhere visible as well!
    • onaccept on message routing (tagging) to check if the only tags are on restricted resources...if they are then restrict the message too.
  • Some tables should be writable by unauthenticated users (writable=|0|)
    • Need special handling for this in shn_create/shn_update?
      • Might need to differentiate the 2 (can deposit new but not edit existing)

BluePrintAuthenticationAccess

BluePrints

Note: See TracWiki for help on using the wiki.