ownership authorization

[Jason]

Has anyone implemented an authorization check that can look-up whether the current user owns the object they are trying to access?

For instance using repoze.what I would have made a custom predicate which retrieves the objects id from request.matchdict['id'] and looks up if the current user owns the object (each object would have a separate custom predicate). 

Is there a similar analog using Pyramid's authorization?

Alternatively: has anyone started work on a repoze.what authorization policy?

Thanks,

Jason

[Thomas G. Willis]

I've done it with traversal and didn't need to use repoze.what.

Basically you just derive your __acl__ attribute anyway you wish. The trick is getting the user associated with the request, but if you are passing in the request to your root_factory function that shouldn't be too much of a problem. 

get familiar with these things and you should be well on your way.

http://docs.pylonsproject.org/projects/pyramid/1.0/narr/resources.html

http://docs.pylonsproject.org/projects/pyramid/1.0/narr/security.html#assigning-acls-to-your-resource-objects

[Jason]

I am using url dispatch so it's a little different than using the resources, and I just decided to implement repoze.what because it seems easier than I initially thought (after figuring out how to add the middleware). 

The only thing I am having trouble with is getting the request in my custom authorization policy for repoze.what (so i can pass a repoze.what predicate to the permission keyword of the view config). The context is passed to the permits method, but I can't figure out how to get the request. 

The context is the default root factory because I am using url dispatch, I wonder if there is a way to get the request from the context, or assign the request to the default root factory somewhere?

--Jason

[Michael Merickel]

Look at my pyramid auth demo on github. It explains how you can use url dispatch along with a resource tree to do row-level authentication. It basically boils down to creating a dynamic __acl__ property on your resource object that will return entries for only users that own your object. Specifically look at the User object.

https://github.com/mmerickel/pyramid_auth_demo

--

Michael