Changes between Version 45 and Version 46 of S3/S3AAA


Ignore:
Timestamp:
01/18/11 01:22:32 (11 years ago)
Author:
Dominic König
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • S3/S3AAA

    v45 v46  
    102102In tables which do not define either of these meta-fields, ownership rules are not applied ({{{uacl}}} only).
    103103
    104 === !Controller/Table Restriction ===
     104=== Restrictions ===
    105105
    106106ACLs can be defined for controllers, and for particular functions inside controllers.[[BR]]
    107107ACLs can additionally be defined for individual database tables.
    108108
    109 The controller ACLs are activated by setting the respective controller to {{{restricted=True}}} in {{{deployment_settings.modules}}} ({{{000_config.py}}}):
     109==== System-wide Policy ====
     110
     111To configure the system-wide policy to use ACLs, set {{{security.policy}}} in deployment settings ({{{models/000_config.py}}}):
     112
     113{{{
     114deployment_settings.security.policy = 3 # Apply Controller ACLs
     115}}}
     116
     117or:
     118
     119{{{
     120deployment_settings.security.policy = 4 # Apply both Controller and Table ACLs
     121}}}
     122
     123==== Controller Restriction ====
     124
     125Furthermore, it must be specified for which controllers to ACLs are to be used. This can be done by setting the respective controller to {{{restricted=True}}} in {{{deployment_settings.modules}}} ({{{models/000_config.py}}}):
    110126
    111127{{{
     
    114130            description = T("Disaster Victim Identification"),
    115131
    116             restricted = True, # Apply controller ACLs
     132            restricted = True, # Apply controller ACLs for the dvi module
    117133
    118134            module_type = 10,
     
    123139}}}
    124140
    125 If {{{restricted}}} is {{{False}}} or not defined, then simple authorization is used for this controller.
     141If {{{restricted}}} is {{{False}}} or undefined for a controller, then simple authorization is used for controller access.
    126142
    127143The Controller ACL can be defined for all functions in a controller, and additionally for particular functions inside a controller, where the function-specific ACLs override the general controller ACL. That means, you can define a general ACL for the {{{pr}}} controller, and a different one for the {{{pr/person}}} function.
     
    129145The Controller ACLs are applied to ''all'' resources when accessed through this controller/function. If the Controller ACL does not give any permission for the current user (ACL value==auth.permissions.NONE==0x00), then the request is rejected as "Unauthorized". Controllers do not have to implement this check - this is done at a central place (in {{{00_utils.py}}}).
    130146
     147==== Table Restriction ====
     148
    131149Once the user has passed that controller permission check (must have at least {{{read}}} permission), and tries to access to a particular table, then the controller checks for table-specific ACLs. This check is to be implemented by the particular controller using {{{s3_has_permission()}}} and {{{s3_accessible_query}}} (except controllers using S3CRUD only, which already contains it).
    132150
     151If there is no ACL defined for this table at all (i.e. for none of the users), then the table is considered unrestricted and only the controller ACLs apply.
     152
     153If there exist ACLs for this table, but not for the current user, access is '''denied''' for the current user.
     154
     155If there are specific ACLs defined for this table and the current user, then the most ''restrictive'' of the controller and table ACLs apply (i.e. you cannot allow on the table level what you forbid at the controller level, and vice versa).
     156
    133157  '''Note:''' ''For consistency reasons, creating or deleting component records in a resource requires additional permission to update the main record, even though the main record is not changed by this operation, e.g. to add an address to a person record, you must also be permitted to update the person record.''
    134 
    135 If there are specific ACLs defined for the table, then the most ''restrictive'' of controller and table ACLs apply (i.e. you cannot allow on the table level what you forbid at the controller level, and vice versa). If there are no specific ACLs defined for this table, then the controller ACLs apply.
    136 
    137158== Implementation of Access Control ==
    138159