[ZODB-Dev] ZEO and access permissions
Hanno Schlichting
hanno at hannosch.eu
Sat May 22 08:55:02 EDT 2010
On Sat, May 22, 2010 at 2:17 PM, Nitro <nitro at dr-code.org> wrote:
> ZEO already supports authenticated logins. Based on the login I'd like
> people to be able to access some objects and deny access to others.
>
> First I thought I'd do the access restrictions on the application level.
That's the only sane thing to do.
You want to have higher level abstractions to manage security. Like
giving permissions based on their class, based on their relationship
to others. Usually you'll also want to go from just users to groups or
maybe use external authentication services at some point.
The database level is the wrong abstraction level to do this. In SQL
terms, you are trying to store a full fledged security policy on each
database row. This is going to be prohibitively slow and unmanageable
very soon.
I think you could extend database users and permissions, to manage
access permissions on a full database / storage level. Potentially
introduce read/write permissions on this level. But anything more
fine-grained belongs to the application domain.
Hanno
More information about the ZODB-Dev
mailing list