[ZODB-Dev] ZEO and access permissions
Jim Fulton
jim at zope.com
Sun May 23 11:53:33 EDT 2010
On Sat, May 22, 2010 at 8:17 AM, Nitro <nitro at dr-code.org> wrote:
> Hello,
>
> ZEO already supports authenticated logins. Based on the login I'd like
> people to be able to access some objects and deny access to others.
>
> First I thought I'd do the access restrictions on the application level.
> This doesn't seem to be too easy though, because a user might have access
> to an object, but accessing one of its sub-objects might be disallowed.
> Checking this everywhere seems hard, error-prone and potentially slow.
>
> So I wondered whether it might be possible to integrate this directly into
> ZEO. E.g. by subclassing ZEOStorage and hooking methods like
> loadEx/loadBefore/deleteObject/store. Each object and each user would have
> something like a permission_id attribute. Then one could write something
> like
>
> class AccessRestrictedZEOStorage(ZEOStorage):
> def loadEx(self, oid):
> obj = ZEOStorage.load( self, oid )
> # get user here somehow
> return self.checkAccess( obj, user, 'read' )
>
> def checkAccess(self, obj, user, access):
> # this check can be more sophisticated, check for
> read/write/delete rights etc
> if user.permission_id < obj.permission_id:
> raise AccessDeniedError()
>
> Is something like this viable?
Yes, for suitable definition of "like". :)
> Does it make sense at all or is it still
> better to restrict access on the application level?
I would do it at the storage level, not in the application nor in ZEO.
It is probably possible with some sort of wrapper storage. There are
lots of details to be worked out. This is a project I've been looking
forward to working on for some time, but it is still prettty far down
on my list.
Jim
--
Jim Fulton
More information about the ZODB-Dev
mailing list