Permission

[A]

Hi,

I am exploring Django for the first time, and I like what I see. Great
work.

Looking at the security model, it is a RBAC ( Rol Based Access Control
). I have already a CBAC ( Context Base Access Control ) for a web
application in another framework and I would like to know how hard will
be to modify ( me not the project ;-) ) the Django security part to
this other model ( is it planned to be easy to modify? ).

This means for example that user admin1 can specify that a user U1 can
only assign permissions to create files under category X for users
under group G2. Which not only implies a modification for the admin
interface but also for the validation of permissions while the user is
in session.

Any thoughts about this? Thanks.

A,

[Jacob Kaplan-Moss]

On Aug 5, 2005, at 3:14 PM, A wrote:
> I am exploring Django for the first time, and I like what I see. Great
> work.

Thanks!

> Looking at the security model, it is a RBAC ( Rol Based Access Control
> ). I have already a CBAC ( Context Base Access Control ) for a web
> application in another framework and I would like to know how hard
> will
> be to modify ( me not the project ;-) ) the Django security part to
> this other model ( is it planned to be easy to modify? ).
>
> This means for example that user admin1 can specify that a user U1 can
> only assign permissions to create files under category X for users
> under group G2. Which not only implies a modification for the admin
> interface but also for the validation of permissions while the user is
> in session.
>
> Any thoughts about this? Thanks.

Well, I don't really know much about security models (didn't know we
had an RBAC :), but it shouldn't be too hard to modify Django to use
a different security implementation. The current system is based
around a user.has_permission("permission name") function; I imagine
you could modify that function to work differently.

I'd love for Django to support different user/auth systems, so please
keep in touch about your efforts and if there's any sort of framework
support you could envision that would help you out.

Good luck!

Jacob

[A]

Just "change" Group for Role and you have a basic RBAC: Users from
group A has the permissions assigned to that group.

I will look into the code in the following days and see if I can have
some fun ;-)

Thanks for the reply.

A.

[Ksenia Marasanova]

> a different security implementation. The current system is based
> around a user.has_permission("permission name") function; I imagine
> you could modify that function to work differently.

I have a similar function in another project (not converted to Django
yet). I use optional argument for this, something like:

def has_permission(self, permission_name, resource=None)
# resource is a class instance of some model class. If resource is
passed, it's property "author" is inspected, and in some cases some
extra business rules are checked.

In some places it's simple and works like RBAC:
if user.has_permission('send_mail'):
# send mail :)
# send mail...
In other places it works like RBAC + CBAC: ;-)

news_item = News.get(3)
if user.has_permission('publish_news', news_item):
# publish this news item


--
Ksenia