[Zope-dev] looking for ideas on access control...

Anthony Baxter anthony@interlink.com.au
Fri, 06 Aug 1999 15:49:17 +1000


For an application I'm building, I'm looking at trying to figure out
a simple and robust method of doing access control - there's a bunch
of different users who each have access to certain objects (stored in
Oracle), and they should get different access based on which object ids
they are trying to access. 

What I want to be able to do is have something I can call in 
standard_html_header which does something like
* get AUTHENTICATED_USER.
* get REQUEST['object_id'].
* lookup in SQL the rights that this user has over the object with
object id object_id.
* set the roles of the user for this transaction, to either 'anonymous/none',
'readonly', 'readwrite', or some other variation, and let the permissions
on the appropriate DTML and SQL methods control what they can do.

What's the mechanism for editing the roles of a transaction? Is it even
doable?

Could I simply use a UserDb, add 'object_id' to the list of arguments
for sqlListUser, and make the SQL magic supply the roles? Will this get
called for each transaction?

thanks,
Anthony
--
Anthony Baxter     <anthony@interlink.com.au>
It's never too late to have a happy childhood.