Changes between Version 20 and Version 21 of S3/S3AAA


Ignore:
Timestamp:
01/17/11 11:17:46 (14 years ago)
Author:
Dominic König
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • S3/S3AAA

    v20 v21  
    6565ACLs are stored per role and request destination in the {{{s3_permission}}} table, which is defined by the {{{S3Permission}}} class (in {{{modules/s3/s3aaa.py}}}).
    6666
     67For every destination (controller/function/table) two ACLs can be defined to be applied depending on whether a user ownes the record or not:
     68
     69  - one ACL for users owning a record (Owner ACL = {{{oacl}}})
     70  - one ACL for any other user not owning the record (User ACL = {{{uacl}}}).
     71
     72If a user ownes a record, then the most permissive of the User ACL and the Owner ACL gets applied, otherwise only the User ACL gets applied.
     73
    6774=== Record Ownership ===
    6875
     
    7784A user is considered ''owner'' of a record if he has either created the record (user ID == {{{created_by}}}), or he is a member of the owner group ({{{owned_by}}} in user roles).
    7885
    79 In tables which do not define either of these meta-fields, ownership rules are not applied.
     86In tables which do not define either of these meta-fields, ownership rules are not applied ({{{uacl}}} only).
    8087
    81 Record ownership allows to set different permissions depending on whether a user ownes a record or not:
     88=== Controller/Table Restriction ===
    8289
    83   - one ACL for users owning a record (Owner ACL = {{{oacl}}})
    84   - one ACL for any other user not owning the record (User ACL = {{{uacl}}}).
     90ACLs can be defined for controllers, or for particular functions inside controllers.[[BR]]
     91ACLs can additionally be defined for database tables.
    8592
    86 If a user ownes a record, then the most permissive of the User ACL and the Owner ACL gets applied, otherwise only the User ACL gets applied.
    87 === Controller Restriction ===
     93The controller ACLs are applied when the respective controller is set to {{{restricted=True}}} in {{{deployment_settings.modules}}} ({{{000_config.py}}}):
    8894
    89 === Resource Restriction ===
     95{{{
     96    dvi = Storage(
     97            name_nice = T("Disaster Victim Identification"),
     98            description = T("Disaster Victim Identification"),
     99
     100            restricted = True, # Apply controller ACLs
     101
     102            module_type = 10,
     103            resources = Storage(
     104                dvi_recreq = {"importer" : True},
     105            )
     106        ),
     107}}}
     108
     109The Controller ACL can be defined for all functions in a controller, or a particular function inside a controller, where the function-specific ACL overrides the general controller ACL. That means, you can define a general ACL for the {{{pr}}} controller, and a different one for the {{{pr/person}}} function.
     110
     111The Controller ACLs are applied to ''all'' resources when accessed through this controller/function. If the Controller ACL does not specify any permission, the request is rejected as "Unauthorized".
     112
     113Once the user has passed that controller permission check, and requests access to a particular table, the controller checks for table-specific ACLs. If there are specific ACLs for this table, then the most ''restrictive'' of controller and cable ACLs apply (i.e. you cannot allow on the table level what you forbid at the controller level, and vice versa). If there are no specific ACLs defined for this table, then the controller ACLs apply.
    90114
    91115== Implementation of Access Control ==