Authentication and Authorization
32 views
Skip to first unread message
annet
May 3, 2009, 9:56:00 AM5/3/09
to web2py Web Framework
I have a couple of questions about the Auth class. To use
authentication I uncommented the following functions in db.py:
mail = Mail()
mail.settings.server = 'smtp.yourdomain.com:25'
mail.settings.sender = 'y...@yourdomain.com'
mail.settings.login = 'username@password'
auth = Auth(globals(), db)
auth.define_tables()
auth.settings.captcha = Recaptcha
(request,public_key='RECAPTCHA_PUBLIC_KEY',private_key='RECAPTCHA_PRIVATE_KEY')
Furthermore, I defined a custom user table.
1) To register the visitor should complete a registration form, which
will be emailed from the application to the site administrator, who
will accept or reject the registration, and in case of acceptance
enter the registrants data into the auth_user table and
auth_membership table. So, I need a custom registration function and I
don't need the verify_email function. This makes me wonder whether I
could just uncomment the def user(): return dict(form=auth()) function
in default.py and add a custom def register(): function to default.py,
or whether I have to leave def user(); commented and add the functions
I do need like this: def login(): return (form=auth.login()) etc.
2) The custom user table has a field called company_id, when the user
logs in he should only be able to create, retrieve, update and delete
records that have this company_id, is this possible using CRUD or do I
have to write custom functions.
3) When assigning permissions, do I have to assign every permission
separately to every table for every group or is there a more efficient
way. I have 2 groups, 6 permissions and 20 tables, that would be 240
entries in auth_permission, wouldn't it?
4) I created two groups, datamanager and sitemanager, where
datamanager is an intersection of sitemanager. For example,
datamanager and sitemanager both have permission to update the address
table, but only sitemanager has permission to create, update and
delete the event table. Is there an efficient way to implement this?
5) Does record_id in the auth_permission table reference a specific
record? When would I use this?
6) What does the following decorator imply: @auth.requires_permission
('create',tablename',1)
Doesn't @auth.requires_membership('Manager') and Manager through
auth_permission having a name:create, Table Name:tablename, Record Id:
1 permission accomplish the same?
I am looking forward to your answers to my questions,
Annet.
authentication I uncommented the following functions in db.py:
mail = Mail()
mail.settings.server = 'smtp.yourdomain.com:25'
mail.settings.sender = 'y...@yourdomain.com'
mail.settings.login = 'username@password'
auth = Auth(globals(), db)
auth.define_tables()
auth.settings.captcha = Recaptcha
(request,public_key='RECAPTCHA_PUBLIC_KEY',private_key='RECAPTCHA_PRIVATE_KEY')
Furthermore, I defined a custom user table.
1) To register the visitor should complete a registration form, which
will be emailed from the application to the site administrator, who
will accept or reject the registration, and in case of acceptance
enter the registrants data into the auth_user table and
auth_membership table. So, I need a custom registration function and I
don't need the verify_email function. This makes me wonder whether I
could just uncomment the def user(): return dict(form=auth()) function
in default.py and add a custom def register(): function to default.py,
or whether I have to leave def user(); commented and add the functions
I do need like this: def login(): return (form=auth.login()) etc.
2) The custom user table has a field called company_id, when the user
logs in he should only be able to create, retrieve, update and delete
records that have this company_id, is this possible using CRUD or do I
have to write custom functions.
3) When assigning permissions, do I have to assign every permission
separately to every table for every group or is there a more efficient
way. I have 2 groups, 6 permissions and 20 tables, that would be 240
entries in auth_permission, wouldn't it?
4) I created two groups, datamanager and sitemanager, where
datamanager is an intersection of sitemanager. For example,
datamanager and sitemanager both have permission to update the address
table, but only sitemanager has permission to create, update and
delete the event table. Is there an efficient way to implement this?
5) Does record_id in the auth_permission table reference a specific
record? When would I use this?
6) What does the following decorator imply: @auth.requires_permission
('create',tablename',1)
Doesn't @auth.requires_membership('Manager') and Manager through
auth_permission having a name:create, Table Name:tablename, Record Id:
1 permission accomplish the same?
I am looking forward to your answers to my questions,
Annet.
mdipierro
May 4, 2009, 11:34:41 AM5/4/09
to web2py Web Framework
On May 3, 8:56 am, annet <jmverm...@xs4all.nl> wrote:
> I have a couple of questions about the Auth class. To use
> authentication I uncommented the following functions in db.py:
>
> mail = Mail()
> mail.settings.server = 'smtp.yourdomain.com:25'
> mail.settings.sender = '...@yourdomain.com'
> I have a couple of questions about the Auth class. To use
> authentication I uncommented the following functions in db.py:
>
> mail = Mail()
> mail.settings.server = 'smtp.yourdomain.com:25'
> mail.settings.login = 'username@password'
>
> auth = Auth(globals(), db)
> auth.define_tables()
> auth.settings.captcha = Recaptcha
> (request,public_key='RECAPTCHA_PUBLIC_KEY',private_key='RECAPTCHA_PRIVATE_KEY')
>
> Furthermore, I defined a custom user table.
>
> 1) To register the visitor should complete a registration form, which
> will be emailed from the application to the site administrator, who
> will accept or reject the registration, and in case of acceptance
> enter the registrants data into the auth_user table and
> auth_membership table. So, I need a custom registration function and I
> don't need the verify_email function. This makes me wonder whether I
> could just uncomment the def user(): return dict(form=auth()) function
> in default.py and add a custom def register(): function to default.py,
> or whether I have to leave def user(); commented and add the functions
> I do need like this: def login(): return (form=auth.login()) etc.
yes.
>
> auth = Auth(globals(), db)
> auth.define_tables()
> auth.settings.captcha = Recaptcha
> (request,public_key='RECAPTCHA_PUBLIC_KEY',private_key='RECAPTCHA_PRIVATE_KEY')
>
> Furthermore, I defined a custom user table.
>
> 1) To register the visitor should complete a registration form, which
> will be emailed from the application to the site administrator, who
> will accept or reject the registration, and in case of acceptance
> enter the registrants data into the auth_user table and
> auth_membership table. So, I need a custom registration function and I
> don't need the verify_email function. This makes me wonder whether I
> could just uncomment the def user(): return dict(form=auth()) function
> in default.py and add a custom def register(): function to default.py,
> or whether I have to leave def user(); commented and add the functions
> I do need like this: def login(): return (form=auth.login()) etc.
def login(): return dict(form=auth.login())
def register(): return dict(form=auth.register())
etc.
> 2) The custom user table has a field called company_id, when the user
> logs in he should only be able to create, retrieve, update and delete
> records that have this company_id, is this possible using CRUD or do I
> have to write custom functions.
yes but takes a little work because depends on details.
> 2) The custom user table has a field called company_id, when the user
> logs in he should only be able to create, retrieve, update and delete
> records that have this company_id, is this possible using CRUD or do I
> have to write custom functions.
every user also has a group associated uniquely to him.
mygroup=db(auth.table_group.role='user_%s' % user_id).select()[0]
give permission to this group (or other group)
auth.add_permission(mygroup,'update','company',company_id)
it does not matter if 'company' is a table or not.
Now. the second arg of crud.update can be a record or a record_id so
you can do
def update_mytable():
record_id=request.args[0]
record=db.mytable[myrecord]
if not auth.has_permission
('update','company',record.company_id):
redirect(.... somwehere....)
form=crud.update(db.mytable,record)
return dict(form=form)
> 3) When assigning permissions, do I have to assign every permission
> separately to every table for every group or is there a more efficient
> way. I have 2 groups, 6 permissions and 20 tables, that would be 240
> entries in auth_permission, wouldn't it?
actually)
You can define your own conventions as above. You do not necessarily
give permission to a table.
> 4) I created two groups, datamanager and sitemanager, where
> datamanager is an intersection of sitemanager. For example,
> datamanager and sitemanager both have permission to update the address
> table, but only sitemanager has permission to create, update and
> delete the event table. Is there an efficient way to implement this?
operation and use decorators
@auth.requires_membership('manager')
def update():
(table_name, record_id) = request.args[:2]
return dicr(form=crud.update(db[table_name],record_id))
> 5) Does record_id in the auth_permission table reference a specific
> record? When would I use this?
> 6) What does the following decorator imply: @auth.requires_permission
> ('create',tablename',1)
has permission 'create' on table 'tablename' and record 1 or the
entire table.
> Doesn't @auth.requires_membership('Manager') and Manager through
> auth_permission having a name:create, Table Name:tablename, Record Id:
> 1 permission accomplish the same?
granular access (has_permission). It depends.
> I am looking forward to your answers to my questions,
>
> Annet.
Reply all
Reply to author
Forward
0 new messages