Changes between Initial Version and Version 1 of BluePrintAuthorizationB


Ignore:
Timestamp:
06/20/10 14:11:39 (12 years ago)
Author:
Dominic König
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • BluePrintAuthorizationB

    v1 v1  
     1= BluePrint for Authorization (alternative version) =
     2
     3== General model ==
     4
     5Authorization is implemented for:
     6
     7  - module access
     8  - controller access
     9  - table access (create/read/update/delete and custom method)
     10  - record access (create/read/update/delete and custom method)
     11
     12Authorization policy is implemented as:
     13
     14  - if a method is not restricted, then it is accessible for everyone
     15  - if a method is restricted, then access must be explicitly granted, otherwise access is declined (Allow=>Deny order)
     16
     17Permissions are assigned to roles (not to individual users):
     18
     19  - roles are stored in auth_group
     20  - admin role is auth_group 1 (cannot be modified)
     21  - all methods on everything are allowed for members of the admin role
     22  - roles are assigned to users by auth_membership
     23  - roles can be created after deployment
     24  - roles of the actual user are re-read from the DB and stored in the session once per HTTP request
     25
     26There are two pseudo-roles for record access:
     27
     28  - author (=the author of the record)
     29  - editor (=the last author of the record)
     30
     31== Methods ==
     32
     33Denial of access:
     34
     35  - a method '''shn_unauthorized()''' realizes error notification and redirection as appropriate
     36  - non-interactive modes:
     37    - raise a HTTP error and a JSON error message
     38    - DO NOT REDIRECT!
     39  - interactive modes, one of:
     40    - redirect (e.g. to login) and and display an error message on the target page (acceptable)
     41    - raise a HTTP error and display an error page, provide redirection options from the error page (more RESTful)
     42  - shn_unauthorized() takes an optional error message as argument
     43
     44Module/Controller access:
     45
     46  - access can be restricted inside the controllers using:
     47    - '''shn_has_role(role_name)''' which refers to the current user
     48  - shn_has_role() tests can be combined by '''and''', '''or''' and '''not'''
     49
     50Table/Record access:
     51
     52  - table/record access can be restricted by:
     53    - '''shn_permit(table, method, role, id=None)''' adds role to the list of permitted roles for method on table/record
     54    - '''shn_deny(table, method, role, id=None)''' removes role from the list of permitted roles for method on table/record
     55    - '''shn_restrict(table, method, role, id=None)''' replaces the list of permitted roles for method on table/record with [role]
     56  - table/record access permission is tested by:
     57    - '''shn_has_permission(table, method, id=None)''', which returns True/False refering to the current user
     58
     59  - record restrictions override table permissions
     60  - table restrictions override record permissions
     61