Anthony Baxter wrote:
For an application I'm building, I'm looking at trying to figure out a simple and robust method of doing access control - there's a bunch of different users who each have access to certain objects (stored in Oracle), and they should get different access based on which object ids they are trying to access.
What I want to be able to do is have something I can call in standard_html_header which does something like * get AUTHENTICATED_USER. * get REQUEST['object_id']. * lookup in SQL the rights that this user has over the object with object id object_id. * set the roles of the user for this transaction, to either 'anonymous/none', 'readonly', 'readwrite', or some other variation, and let the permissions on the appropriate DTML and SQL methods control what they can do.
standard_html_header isn't where you want to do this.
What's the mechanism for editing the roles of a transaction? Is it even doable?
No, transactions don't have roles.
Could I simply use a UserDb, add 'object_id' to the list of arguments for sqlListUser, and make the SQL magic supply the roles? Will this get called for each transaction?
I suggest that you separate user authentication and authorization from assignment of roles to objects. Let the user database authenticate users and assign them roles. Use a pluggable brain to assign roles to different classes of objects stored in the RDBMS or, if necessary, add a __roles__ conputed attribute that assignes object roles using some computation bases on RDBMS columns. This approach is similar to, but easier than Phillips suggestion of defining __allow_groups__ (a user database) for each object. Jim -- Jim Fulton mailto:jim@digicool.com Python Powered! Technical Director (888) 344-4332 http://www.python.org Digital Creations http://www.digicool.com http://www.zope.org Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email address may not be added to any commercial mail list with out my permission. Violation of my privacy with advertising or SPAM will result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.