[Zope-DB] Zope - SQL authorisation model

Dieter Maurer dieter at handshake.de
Tue May 31 15:02:42 EDT 2005


Terry Kerr wrote at 2005-5-31 19:02 +1000:
> ...
>For example, the person who is authenticated to the site (will be 
>authenticated via my user folder looking at the credentials in the 
>person record in the person table), is only allowed to update records in 
>a specific table that they own, as determined by a foreign key link to 
>the person record.  The only way I can see to implement security is to 
>explicity code in my python form validation script, a check that makes 
>sure the person is infact allowed to edit the record...this in itself 
>would require a database query to check the foreign key link against the 
>authenticated user id. 
> 
>My authorization gets more complicated than that though....

If you have complex rules (apparently, you do), then
you will need to implement them somewhere -- each of them...

>...
>Another approach maybe to implement the authorization at the database 
>level by using GRANT, REVOKE, rules on tables, functions, views, etc.  
>If the Zope database connector could connect as the authenticated user, 
>then the rules would apply.

The standard Zope DAs do not directly support this.

In the SQLRelay documentation, I found that Oracle supports
user switching for a connection. If you have such
a database (and the user switching supported by your Python-database
bridge), then you can easily extend the DA to use this feature.

As I understand SQLRelay, it does this for you, in case the
database supports it (and "SQLRelay" knows that it does).

If your database system has a cheap "connect", then you
can create a new connection for each request and authenticate
the current user. Again "SQLRelayDA" can show you how to achieve this
(if you do not directly use "SQLRelayDA").

-- 
Dieter


More information about the Zope-DB mailing list