Reputation: 11808
alternative permissions model with repoze.what
I'm writing a web app, and I'd like to use repoze.what & repoze.who to handle my authorisation & authentication. The problem is that repoze.what seems to be hard-coded to accept a certain permissions model, that is:
- Visitors to the site are either a logged in user, or anonymous.
- User accounts belong to 0 or more groups.
- Groups have 0 or more permissions associated with them.
So, for example, your permissions might be 'can-post-article' and 'can-post-comment', and your groups might be 'author', 'visitor', where 'author' can both post articles & post comments, while visitors can only post comments.
That model probably works for most sites. However, my site allows teams to collaborate with each other on different levels. So the security model that I need is:
- Visitors are either a logged in user, or anonymous.
- Users are a member of 0 or more groups.
- For each group that the user is a member of, that membership will have different permissions. For example, the user might be an 'author' or group A, but a 'commenter' on group B.
The number of groups will change over time, and the memberships of those groups will also change. I can't see any easy way to integrate this permissions model into repoze.what. Am I missing something obvious?
Upvotes: 0
Views: 236
Answers (2)
Reputation: 11808
I have an answer, after a bit of fiddling.
The answer is that the only reason to use the authentication schema suggested in the repoze.what documentation is that if you do, you can use their predicates for free. Fortunately, writing & using your own predicates is a piece of cake. It seems to me that the only hard requirement is for a user object (although obviously you can call this whatever you want). In my app I have a bunch of custom predicates that check certain things like:
- Is the user a member of this group? (group specified by a parameter)
- Is the user logged in?
- Does the user hold this particular site role?
I can then use these predicates wherever I want.
Upvotes: 0
Reputation: 172309
Well, you could easily just have a "Group_A_commenter" group and "Group_B_editor" group. They don't have to be manually generated. :) Your model is really just a matter of grouping the groups.
But you should also be able to make Predicate checkers that implement your rules.
http://what.repoze.org/docs/1.0/Manual/Predicates/index.html#term-predicate
Upvotes: 2
Related Questions
- Flask: token-based authorization
- How to implement role-based Authorization for Python REST API?
- Secure authentication system in python?
- Dead-simple web authentication for a single user
- Need a python authentication / authorization framework
- Rolling out a web authentication system
- Python authentication system for a framework with no authentication built in (like web.py)?
- Auth-System easy way to do it like Amazon?
- Pre-configured Python web framework with Authentication, Profiles, etc
- Web framework recommendation for python (webservices, auth, cache, ...)