[Zope] Access Control Advice

John Eikenberry jae@kavi.com
Fri, 12 Mar 1999 13:08:18 -0800 (PST)


Hello all,

I am working on a Zope app, and would like to see if anyone has any tips
for how I should handle access control in this situation...

The site is a corporate organization site. It has many corporate members,
each has an admin which has control over a subset of information kept in a
relational database.

I want to have just one role (comp_admin) for this. But each company can
only have access to their company info. Thus I need to check that the
admin belongs to that company. (there are also regular users who also have
to login. they can view, but not modify)

The users, passwords and roles are kept in the database too (UserDB).

Each company has a unique id, and this is the primary keys in the DB. Each
user is associated to the company using this id (a field in their table). 

Make sense?

My current idea is:

1. Have a general main page which both users and admins login to. If they
use the admin login, get their company id (comp_id) and create a link to
the admin section using the magic of direct traversal (this way they can
bookmark the admin page). Eg.

<a href="/comp/1/admin/">admin section</a>
('comp' is the zsql method, 1 is the comp_id, admin is the folder)

Thus the comp_id of the company will be available, and I could:

A. I could then (mabey?) use the comp_id in the UserDB query (in the admin
   folder) to only retrieve those people belonging to that company.

OR (if I can't get to the comp_id from the UserDB query).

B. I could then compare to the person's comp_id to the company's comp_id 
   in each of the effect pages via a new standard_header.

Thoughts? Better ways to do this?

---

John Eikenberry
[jae@kavi.com - http://taos.kavi.com/~jae/] 
______________________________________________________________
"A society that will trade a little liberty for a little order
 will deserve neither and lose both."
                                         --B. Franklin