[Zope-DB] Zope - SQL authorisation model

Dieter Maurer dieter at handshake.de
Tue May 31 15:02:42 EDT 2005

Terry Kerr wrote at 2005-5-31 19:02 +1000:
> ...
>For example, the person who is authenticated to the site (will be 
>authenticated via my user folder looking at the credentials in the 
>person record in the person table), is only allowed to update records in 
>a specific table that they own, as determined by a foreign key link to 
>the person record.  The only way I can see to implement security is to 
>explicity code in my python form validation script, a check that makes 
>sure the person is infact allowed to edit the record...this in itself 
>would require a database query to check the foreign key link against the 
>authenticated user id. 
>My authorization gets more complicated than that though....

If you have complex rules (apparently, you do), then
you will need to implement them somewhere -- each of them...

>Another approach maybe to implement the authorization at the database 
>level by using GRANT, REVOKE, rules on tables, functions, views, etc.  
>If the Zope database connector could connect as the authenticated user, 
>then the rules would apply.

The standard Zope DAs do not directly support this.

In the SQLRelay documentation, I found that Oracle supports
user switching for a connection. If you have such
a database (and the user switching supported by your Python-database
bridge), then you can easily extend the DA to use this feature.

As I understand SQLRelay, it does this for you, in case the
database supports it (and "SQLRelay" knows that it does).

If your database system has a cheap "connect", then you
can create a new connection for each request and authenticate
the current user. Again "SQLRelayDA" can show you how to achieve this
(if you do not directly use "SQLRelayDA").


More information about the Zope-DB mailing list