[Zope-dev] looking for ideas on access control...

Jim Fulton jim@digicool.com
Mon, 09 Aug 1999 08:51:16 -0400


Anthony Baxter wrote:
> 
> For an application I'm building, I'm looking at trying to figure out
> a simple and robust method of doing access control - there's a bunch
> of different users who each have access to certain objects (stored in
> Oracle), and they should get different access based on which object ids
> they are trying to access.
> 
> What I want to be able to do is have something I can call in
> standard_html_header which does something like
> * get AUTHENTICATED_USER.
> * get REQUEST['object_id'].
> * lookup in SQL the rights that this user has over the object with
> object id object_id.
> * set the roles of the user for this transaction, to either 'anonymous/none',
> 'readonly', 'readwrite', or some other variation, and let the permissions
> on the appropriate DTML and SQL methods control what they can do.

standard_html_header isn't where you want to do this.

> What's the mechanism for editing the roles of a transaction? Is it even
> doable?

No, transactions don't have roles.

> Could I simply use a UserDb, add 'object_id' to the list of arguments
> for sqlListUser, and make the SQL magic supply the roles? Will this get
> called for each transaction?

I suggest that you separate user authentication and authorization
from assignment of roles to objects.  Let the user database authenticate
users and assign them roles.  Use a pluggable brain to assign roles to 
different classes of objects stored in the RDBMS or, if necessary, add a
__roles__ conputed attribute that assignes object roles using some computation
bases on RDBMS columns.  This approach is similar to, but easier than
Phillips suggestion of defining __allow_groups__ (a user database) for 
each object.

Jim

--
Jim Fulton           mailto:jim@digicool.com   Python Powered!        
Technical Director   (888) 344-4332            http://www.python.org  
Digital Creations    http://www.digicool.com   http://www.zope.org    

Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission.  Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.