Thursday, September 30, 2010

Re: Need opinion for an object permission rule backend

Hi Michael,

I have been looking at your project, django.extauth and I have to say I really like its architecture and permission handling. I have to say that my rule system is kind of the same thing of your role system, except mine is less flexible. I'm going to look a little bit the code, install it and see if I can help you with anything.

Only thing that cached my eye is that code is Copyrighted. Why not using an Open-source license? 

Thanks for your mail, regards
Miguel Araujo

2010/9/30 mhall119 <mhall119@gmail.com>
I've recently open-sourced some code that I developed for my work
projects that may do at least part of what you need:
http://bitbucket.org/mhall119/django-extauth/wiki/Home

The basic idea is that you define a "role" that is a relationship
between a user and an instance of a given Model.  With your example,
you would created an "owner" role for your model, that somehow links
the user instance to the model instance.  Usually you do this directly
via a ForeignKey in your model, but they can be as complex as you want
them to be.

On Sep 30, 9:50 am, Miguel Araujo <muchoch...@gmail.com> wrote:
>  Hi everyone,
>
> I have been recently thinking about an object permission system. After
> reviewing Florian Apolloner (apollo13) patch for ticket
> #11010<http://code.djangoproject.com/ticket/11010> and
> reading his article at Django
> Advent<http://djangoadvent.com/1.2/object-permissions/>.
> I though about creating an Object Permission Rule Backend. The purpose of
> this message is explain you my idea, so I can receive feedback from Django
> users and developers. This way I would like to discern if it's worth coding
> it or if it's a good approach to a reusable solution.
>
> I will reuse apollo's code to elaborate my idea. My Backend would look
> similar to:
>
> class ObjectPermBackend(object):
>     supports_object_permissions = True
>     supports_anonymous_user = True
>
>     def authenticate(self, username, password):
>         return None
>
>     def has_perm(self, user_obj, perm, obj=None):
>         if not user_obj.is_authenticated():
>             user_obj = User.objects.get(pk=settings.ANONYMOUS_USER_ID)
>
>         if obj is None:
>             return False
>
>         ct = ContentType.objects.get_for_model(obj)
>
>         try:
>             perm = perm.split('.')[-1].split('_')[0]
>         except IndexError:
>             return False
>
> # Simplified rule system
>         # Of course objects should extend an interface
> if (perm == "ownage")
> return obj.is_owned_by(user_obj)
>
> elif (perm == "edit")
> return obj.can_be_edited_by(user_obj)
>
> # Here be Dragons
>
> As I love decorators, I would like to create a permission_required decorator
> that accepted more than a parameter, so:
>
> @permission_required('app.code_name') would
> become @permission_required('app.code_name', FLAG)
>
> If the FLAG is set the decorator searches in the model associated to the
> content type of the permission, for the name of the field for the PK. For
> the example imagine idArticle. Now it instantiates an object of that model
> with Model.objects.get(pk=request.idArticle). So it would be necessary to
> match request parameters to model fileds (This is the best idea I've come up
> with). Once it has the right object, it passes it to the backend for
> permission checks.
>
> I know I could do a decorator like @own_article but I'm looking for a more
> reusable solution, that I would make open source and release at Github.
>
> What do you think? Is it feasible and well laid out?
>
> Thanks, best regards
> Miguel Araujo

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.


--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment