Changes between Version 45 and Version 46 of S3/S3AAA
- Timestamp:
- 01/18/11 01:22:32 (13 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
S3/S3AAA
v45 v46 102 102 In tables which do not define either of these meta-fields, ownership rules are not applied ({{{uacl}}} only). 103 103 104 === !Controller/Table Restriction===104 === Restrictions === 105 105 106 106 ACLs can be defined for controllers, and for particular functions inside controllers.[[BR]] 107 107 ACLs can additionally be defined for individual database tables. 108 108 109 The controller ACLs are activated by setting the respective controller to {{{restricted=True}}} in {{{deployment_settings.modules}}} ({{{000_config.py}}}): 109 ==== System-wide Policy ==== 110 111 To configure the system-wide policy to use ACLs, set {{{security.policy}}} in deployment settings ({{{models/000_config.py}}}): 112 113 {{{ 114 deployment_settings.security.policy = 3 # Apply Controller ACLs 115 }}} 116 117 or: 118 119 {{{ 120 deployment_settings.security.policy = 4 # Apply both Controller and Table ACLs 121 }}} 122 123 ==== Controller Restriction ==== 124 125 Furthermore, it must be specified for which controllers to ACLs are to be used. This can be done by setting the respective controller to {{{restricted=True}}} in {{{deployment_settings.modules}}} ({{{models/000_config.py}}}): 110 126 111 127 {{{ … … 114 130 description = T("Disaster Victim Identification"), 115 131 116 restricted = True, # Apply controller ACLs 132 restricted = True, # Apply controller ACLs for the dvi module 117 133 118 134 module_type = 10, … … 123 139 }}} 124 140 125 If {{{restricted}}} is {{{False}}} or not defined, then simple authorization is used for this controller.141 If {{{restricted}}} is {{{False}}} or undefined for a controller, then simple authorization is used for controller access. 126 142 127 143 The Controller ACL can be defined for all functions in a controller, and additionally for particular functions inside a controller, where the function-specific ACLs override the general controller ACL. That means, you can define a general ACL for the {{{pr}}} controller, and a different one for the {{{pr/person}}} function. … … 129 145 The Controller ACLs are applied to ''all'' resources when accessed through this controller/function. If the Controller ACL does not give any permission for the current user (ACL value==auth.permissions.NONE==0x00), then the request is rejected as "Unauthorized". Controllers do not have to implement this check - this is done at a central place (in {{{00_utils.py}}}). 130 146 147 ==== Table Restriction ==== 148 131 149 Once the user has passed that controller permission check (must have at least {{{read}}} permission), and tries to access to a particular table, then the controller checks for table-specific ACLs. This check is to be implemented by the particular controller using {{{s3_has_permission()}}} and {{{s3_accessible_query}}} (except controllers using S3CRUD only, which already contains it). 132 150 151 If there is no ACL defined for this table at all (i.e. for none of the users), then the table is considered unrestricted and only the controller ACLs apply. 152 153 If there exist ACLs for this table, but not for the current user, access is '''denied''' for the current user. 154 155 If there are specific ACLs defined for this table and the current user, then the most ''restrictive'' of the controller and table ACLs apply (i.e. you cannot allow on the table level what you forbid at the controller level, and vice versa). 156 133 157 '''Note:''' ''For consistency reasons, creating or deleting component records in a resource requires additional permission to update the main record, even though the main record is not changed by this operation, e.g. to add an address to a person record, you must also be permitted to update the person record.'' 134 135 If there are specific ACLs defined for the table, then the most ''restrictive'' of controller and table ACLs apply (i.e. you cannot allow on the table level what you forbid at the controller level, and vice versa). If there are no specific ACLs defined for this table, then the controller ACLs apply.136 137 158 == Implementation of Access Control == 138 159