[Zope-DB] Per-user connections

Yves Bastide Yves.Bastide@irisa.fr
Mon, 09 Dec 2002 12:24:05 +0100


Iain Anderson wrote:
> Am I missing the bl***ing obvious here :-) ... but why can't you use 
> whatever is your normal Zope authentication and then pass 
> AUTHENTICATED_USER into your ZSQL methods for authorisation, auditing etc.

That's putting the burden on the application(s), for things the dbms is 
perfectly equiped to do.

E.g., say I create some thingy:
1. check the user has the appropriate right (can be done with Zope's 
security system)
2a. INSERT INTO thingy(...) VALUES(...)
2b. INSERT INTO AUDIT(...) VALUES(...)
     (or calling some stored proc)

Or :
2. INSERT INTO thingy(..., who_to_blame) VALUES(..., 
request.AUTHENTICATED_USER)
With thingy defined as a view with appropriate rewriting

Or: Use procedures such as insert_into_thingy(..., who_to_blame).  Tried 
this, maintenance nightmare.

To delete a thingy:
DELETE FROM thingy WHERE ...
INSERT INTO AUDIT(...) VALUES(...)
or, with the magic:
DELETE FROM thingy WHERE ... AND who_to_blame = request.AUTHENTICATED_USER


And more half-baked templates fr each action on each table.  Now, say 
I'm to audit SELECTs too? :)

> 
> Oracle now recognises the difficulty of registering every possible user 
> in the database and e.g with the use of virtual private databases 
> expects to pick up user/authentication information from the context of 
> each database call.
> 

I'm old fashioned, expecting to use tools designed for the job...

Regards,

yves