[Zope-DB] Zope - SQL authorisation model
Dieter Maurer
dieter at handshake.de
Tue May 31 15:02:42 EDT 2005
Terry Kerr wrote at 2005-5-31 19:02 +1000:
> ...
>For example, the person who is authenticated to the site (will be
>authenticated via my user folder looking at the credentials in the
>person record in the person table), is only allowed to update records in
>a specific table that they own, as determined by a foreign key link to
>the person record. The only way I can see to implement security is to
>explicity code in my python form validation script, a check that makes
>sure the person is infact allowed to edit the record...this in itself
>would require a database query to check the foreign key link against the
>authenticated user id.
>
>My authorization gets more complicated than that though....
If you have complex rules (apparently, you do), then
you will need to implement them somewhere -- each of them...
>...
>Another approach maybe to implement the authorization at the database
>level by using GRANT, REVOKE, rules on tables, functions, views, etc.
>If the Zope database connector could connect as the authenticated user,
>then the rules would apply.
The standard Zope DAs do not directly support this.
In the SQLRelay documentation, I found that Oracle supports
user switching for a connection. If you have such
a database (and the user switching supported by your Python-database
bridge), then you can easily extend the DA to use this feature.
As I understand SQLRelay, it does this for you, in case the
database supports it (and "SQLRelay" knows that it does).
If your database system has a cheap "connect", then you
can create a new connection for each request and authenticate
the current user. Again "SQLRelayDA" can show you how to achieve this
(if you do not directly use "SQLRelayDA").
--
Dieter
More information about the Zope-DB
mailing list