And why the object could not be a query that can return a list of records having the state you are looking for??
Richard On Mon, Oct 24, 2011 at 8:25 PM, Triquetra < trique...@triquetradevelopment.com> wrote: > No, I don't think this helps, unless I'm misunderstanding something > (which is possible). > > When using "auth.add_permission(group_id, 'name', 'object', > record_id)" the CRUD permissions are only enforced if the object is a > table (according to the book). So, even assuming one could pass a > column as the object (to enable field based access control), the > web2py access system will not automatically enforce CRUD permissions > on this object (like it would with tables or records). This level of > access control would require additional manual enforcement in the > controllers. > > This doesn't help with state based permissions either. The issue here > is that permissions may change depending upon the state of the > object. Workflows are a good example. If A is in group author and E > is in group editor, a workflow may demand that A has full CRUD rights > until the article is submitted for editing, then A only has read > rights over the SAME record and editor group gets read and update > rights only after submission of the article for editing. Same record, > same groups, same users -- different permissions based on the state of > the record (which could be indicated by the content of a field). > > > On Friday, October 21, 2011 3:54:26 PM UTC-4, Triquetra wrote: > > > > > I'd like to see > > > web2py's access control beefed up (thus permitting easy development of > > > workflows, among other things). Specifically, the current web2py RBAC > > > has two levels of granularity: table and record (row). This should be > > > > extended to include field(column), type(controller), and > > > > > context(state). > > > > auth.add_permission(group_id, 'name', 'object', record_id) > > > > In the above, 'object' can be any user-defined object, not just a DB > table > > (record_id is only relevant if the object is a table). Does that help? > > > > > Although the type(controller) access control is currently implemented > > > via decorators in web2py, this is restricted to coders. > > > > You don't have to use decorators. You can directly check for permissions > via > > auth.has_membership() and auth.has_permission(). >