Identity improvement proposal

0 views
Skip to first unread message

Christophe de VIENNE

unread,
Sep 27, 2007, 10:55:33 AM9/27/07
to turbo...@googlegroups.com
Hi all,

Sorry for the long post, if you want to save time you can skip the first part.


I/ Background


The application I'm working on is a web-frontend to a legacy database.
User, groups, roles and permissions are stored in this database, with
our own way of granting rights.
Using my own classes with identity was pretty straighforward, and I
can log in using the legacy logins of the program.

So far everything is beautiful.

Now comes the permissions and the predicates, and I have 2 issues that
are not solved directly by only providing my own model :

1. My application allow the anonymous user to be granted some rights
_the same way_ groups are. And I definitely need to keep this ability
because I want the users (and not the developers) to decide whether or
not anonymous visitors can do things on their website.

2. I want the users (still not the developers) to grant permissions
depending on the visitor location (by location I mean intranet or
internet)

The frustrating thing is that predicates allow to control such
informations, but are only usable by the developer.
The idea I would like to propose solves both my issues, and IMHO
brings some interesting possibilities. Here it is...

II/ The proposal

Introduce a new class, that I will call SpecialGroup, although we may
find a better name.
This class can be given permissions, just like the classic Group, but
it has no user attached to it.
Instead, we attach a predicate to it, and store the whole definition
in the database.

Now, for example, my user can define a SpecialGroup named "LocalNetwork".
Its 'predicate' attribute would be : from_network('192.168.1.0/24')

Let's say I have a function a bit like this :

@expose(..)
@identity.require(identity.has_permission("SeeMeetingRoomPlanning"))
def get_meeting_room_planning(self):
....

After creating this special group the permissions can be added to it
just like it's done on any group. For example, the LocalNetwork group
could be granted the "SeeMeetingRoomPlanning" permission, allowing any
person browsing the website from the intranet to see the meeting room
planning, even thought this person is not authenticated.

This is it, I hope is clear enough. I'm going to work on this very
soon, and would appreciate some feedback on the idea.

Best regards,

Christophe

Florent Aide

unread,
Sep 27, 2007, 11:24:25 AM9/27/07
to turbo...@googlegroups.com
> This is it, I hope is clear enough. I'm going to work on this very
> soon, and would appreciate some feedback on the idea.
>

This is a really interesting idea. I think the gory details of such a
change should be discussed in the trunk list though :)

Florent.

Reply all
Reply to author
Forward
0 new messages