[ZODB-Dev] ZEO and access permissions
Nitro
nitro at dr-code.org
Sat May 22 08:17:23 EDT 2010
Hello,
ZEO already supports authenticated logins. Based on the login I'd like
people to be able to access some objects and deny access to others.
First I thought I'd do the access restrictions on the application level.
This doesn't seem to be too easy though, because a user might have access
to an object, but accessing one of its sub-objects might be disallowed.
Checking this everywhere seems hard, error-prone and potentially slow.
So I wondered whether it might be possible to integrate this directly into
ZEO. E.g. by subclassing ZEOStorage and hooking methods like
loadEx/loadBefore/deleteObject/store. Each object and each user would have
something like a permission_id attribute. Then one could write something
like
class AccessRestrictedZEOStorage(ZEOStorage):
def loadEx(self, oid):
obj = ZEOStorage.load( self, oid )
# get user here somehow
return self.checkAccess( obj, user, 'read' )
def checkAccess(self, obj, user, access):
# this check can be more sophisticated, check for
read/write/delete rights etc
if user.permission_id < obj.permission_id:
raise AccessDeniedError()
Is something like this viable? Does it make sense at all or is it still
better to restrict access on the application level?
-Matthias
More information about the ZODB-Dev
mailing list