[Zope-DB] Per-user connections
Mon, 09 Dec 2002 12:24:05 +0100
Iain Anderson wrote:
> Am I missing the bl***ing obvious here :-) ... but why can't you use
> whatever is your normal Zope authentication and then pass
> AUTHENTICATED_USER into your ZSQL methods for authorisation, auditing etc.
That's putting the burden on the application(s), for things the dbms is
perfectly equiped to do.
E.g., say I create some thingy:
1. check the user has the appropriate right (can be done with Zope's
2a. INSERT INTO thingy(...) VALUES(...)
2b. INSERT INTO AUDIT(...) VALUES(...)
(or calling some stored proc)
2. INSERT INTO thingy(..., who_to_blame) VALUES(...,
With thingy defined as a view with appropriate rewriting
Or: Use procedures such as insert_into_thingy(..., who_to_blame). Tried
this, maintenance nightmare.
To delete a thingy:
DELETE FROM thingy WHERE ...
INSERT INTO AUDIT(...) VALUES(...)
or, with the magic:
DELETE FROM thingy WHERE ... AND who_to_blame = request.AUTHENTICATED_USER
And more half-baked templates fr each action on each table. Now, say
I'm to audit SELECTs too? :)
> Oracle now recognises the difficulty of registering every possible user
> in the database and e.g with the use of virtual private databases
> expects to pick up user/authentication information from the context of
> each database call.
I'm old fashioned, expecting to use tools designed for the job...