Changes between Version 24 and Version 25 of S3/S3AAA


Ignore:
Timestamp:
01/17/11 11:27:57 (11 years ago)
Author:
Dominic König
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • S3/S3AAA

    v24 v25  
    9898=== !Controller/Table Restriction ===
    9999
    100 ACLs can be defined for controllers, or for particular functions inside controllers.[[BR]]
     100ACLs can be defined for controllers, and for particular functions inside controllers.[[BR]]
    101101ACLs can additionally be defined for individual database tables.
    102102
     
    117117}}}
    118118
    119 If {{{restricted}}} is {{{False}}} or not defined, then the controller falls back to simple authorization.
     119If {{{restricted}}} is {{{False}}} or not defined, then simple authorization is used for this controller.
    120120
    121 The Controller ACL can be defined for all functions in a controller, or a particular function inside a controller, where the function-specific ACL overrides the general controller ACL. That means, you can define a general ACL for the {{{pr}}} controller, and a different one for the {{{pr/person}}} function.
     121The Controller ACL can be defined for all functions in a controller, and additionally for particular functions inside a controller, where the function-specific ACLs override the general controller ACL. That means, you can define a general ACL for the {{{pr}}} controller, and a different one for the {{{pr/person}}} function.
    122122
    123 The Controller ACLs are applied to ''all'' resources when accessed through this controller/function. If the Controller ACL does not specify any permission, the request is rejected as "Unauthorized".
     123The Controller ACLs are applied to ''all'' resources when accessed through this controller/function. If the Controller ACL does not give any permission for the current user (ACL value==auth.permissions.NONE==0x00), then the request is rejected as "Unauthorized". Controllers do not have to implement this check, since this is done at a central place (in {{{00_utils.py}}}).
    124124
    125 Once the user has passed that controller permission check, and requests access to a particular table, the controller checks for table-specific ACLs. If there are specific ACLs for this table, then the most ''restrictive'' of controller and cable ACLs apply (i.e. you cannot allow on the table level what you forbid at the controller level, and vice versa). If there are no specific ACLs defined for this table, then the controller ACLs apply.
     125Once the user has passed that controller permission check (must have at least {{{read}}} permission), and tries to access to a particular table, then the controller checks for table-specific ACLs. If there are specific ACLs defined for the table, then the most ''restrictive'' of controller and table ACLs apply (i.e. you cannot allow on the table level what you forbid at the controller level, and vice versa). If there are no specific ACLs defined for this table, then the controller ACLs apply.
    126126
    127127== Implementation of Access Control ==