Hi, here is my solution: There are some abstract *actions *like view/edit/delete/upload/download and so on There are the *roles *that define combinations of the actions - it's the table that has 'value' bit field - each bit corresponds to the action There are the *groups *and two symmetric relation tables: *user_group_role , object_group_role *, object means anything on which could be performed the actions Now, the set of allowed actions on the object for the user could be calculated: - find `intersection` (common) groups of *user *and *object *(inner join on group) * - *logical sum up role.value (bitwise aggregate OR) for *user_group_role *and for *object_group_role **= user_sum_role, object_sum_role * *allowed_actions_set* = *user_sum_role *AND *object_sum_role *(bitwise AND)
for example: user has membership in orgA with role 'super', but orgA has only 'read' role on the *object - * 'super' will be trimmed to 'read'... but if user also has membership under 'super' in another group which has 'super' against the object too, role_action_set won't be trimmed On Tuesday, January 17, 2017 at 7:59:27 PM UTC+3, Leonel Câmara wrote: > > I'm in the process of turning an application that was used by a single > organization into one that will be used by many, I'm using regular Auth and > auth groups to manage which users can do what according to what groups they > have memberships on. > > The first problem I'm facing is that the users that belong to a given > auth_group will now only belong to that group in a given organization, > which I guess would also be a problem with regular auth functions. > > Another problem is that I want the organizations to be able to share some > of their data with another organization. > > So, right now, I'm considering what would be the best architecture for the > application. > > One idea would be to store the organization the user is currently browsing > with (no reason to limit that one user can only belong to one organization) > in session, then I would have to check in each controller if the user has > the right group and organization for what he wants to do, this would > pollute my code somehow. > > Another idea is for each organization to become a group, then what I use > groups for right now will be permissions, this is probably the best route. > This would still leave the problem of making the user see the right data > depending on which organization he is currently browsing with. > > Any advice on how to do this as cleanly as possible in terms of code? > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
