No, I don't think this helps, unless I'm misunderstanding something (which is possible).
When using "auth.add_permission(group_id, 'name', 'object', record_id)" the CRUD permissions are only enforced if the object is a table (according to the book). So, even assuming one could pass a column as the object (to enable field based access control), the web2py access system will not automatically enforce CRUD permissions on this object (like it would with tables or records). This level of access control would require additional manual enforcement in the controllers. This doesn't help with state based permissions either. The issue here is that permissions may change depending upon the state of the object. Workflows are a good example. If A is in group author and E is in group editor, a workflow may demand that A has full CRUD rights until the article is submitted for editing, then A only has read rights over the SAME record and editor group gets read and update rights only after submission of the article for editing. Same record, same groups, same users -- different permissions based on the state of the record (which could be indicated by the content of a field). > On Friday, October 21, 2011 3:54:26 PM UTC-4, Triquetra wrote: > > > I'd like to see > > web2py's access control beefed up (thus permitting easy development of > > workflows, among other things). Specifically, the current web2py RBAC > > has two levels of granularity: table and record (row). This should be > > extended to include field(column), type(controller), and > > > context(state). > > auth.add_permission(group_id, 'name', 'object', record_id) > > In the above, 'object' can be any user-defined object, not just a DB table > (record_id is only relevant if the object is a table). Does that help? > > > Although the type(controller) access control is currently implemented > > via decorators in web2py, this is restricted to coders. > > You don't have to use decorators. You can directly check for permissions via > auth.has_membership() and auth.has_permission().
