| | 99 | |
| | 100 | == A-Roles == |
| | 101 | |
| | 102 | ADMIN has all roles (=auth.s3_has_role is always True if the user is ADMIN, regardless of the role asked for). |
| | 103 | |
| | 104 | ADMIN has all permissions (=auth.s3_has_permission is always True if the user is ADMIN) |
| | 105 | |
| | 106 | auth.s3_has_role(ANONYMOUS) is always True (ANONYMOUS role is assigned to all users, even if not logged-in) |
| | 107 | |
| | 108 | auth.s3_has_role(AUTHENTICATED) is always True when the user is logged in (AUTHENTICATED role is automatically assigned to the user when logged-in) |
| | 109 | |
| | 110 | == Session Ownership == |
| | 111 | |
| | 112 | Records created during a session are owned by that session, and oACLs apply like for personally owned records (i.e. without realm restriction) - even if the user is not logged in. |
| | 113 | |
| | 114 | This ownership ends when the user logs in or out, or when the session is otherwise termindated or cleared. |
| | 115 | |
| | 116 | Session ownership allows anonymous users to temporarily own the records they create, and thus to apply oACL rules even for unauthenticated users (=allow e.g. update or delete without the need to allow it for all records) |
