I just read the doc... Not sure what I suggest is possible... According to the doc it would need something like this to work:
auth.has_permission(group_id, 'read', 'table123', field123 == 'something') This would lead to check if a user as the permission read on table123 when field123 has the value something... It would be great if it is possible... Richard On Wed, Oct 26, 2011 at 2:03 PM, Richard Vézina <ml.richard.vez...@gmail.com > wrote: > And why the object could not be a query that can return a list of records > having the state you are looking for?? > > Richard > > > On Mon, Oct 24, 2011 at 8:25 PM, Triquetra < > trique...@triquetradevelopment.com> wrote: > >> No, I don't think this helps, unless I'm misunderstanding something >> (which is possible). >> >> When using "auth.add_permission(group_id, 'name', 'object', >> record_id)" the CRUD permissions are only enforced if the object is a >> table (according to the book). So, even assuming one could pass a >> column as the object (to enable field based access control), the >> web2py access system will not automatically enforce CRUD permissions >> on this object (like it would with tables or records). This level of >> access control would require additional manual enforcement in the >> controllers. >> >> This doesn't help with state based permissions either. The issue here >> is that permissions may change depending upon the state of the >> object. Workflows are a good example. If A is in group author and E >> is in group editor, a workflow may demand that A has full CRUD rights >> until the article is submitted for editing, then A only has read >> rights over the SAME record and editor group gets read and update >> rights only after submission of the article for editing. Same record, >> same groups, same users -- different permissions based on the state of >> the record (which could be indicated by the content of a field). >> >> > On Friday, October 21, 2011 3:54:26 PM UTC-4, Triquetra wrote: >> > >> > > I'd like to see >> > > web2py's access control beefed up (thus permitting easy development of >> > > workflows, among other things). Specifically, the current web2py RBAC >> > > has two levels of granularity: table and record (row). This should be >> > >> > extended to include field(column), type(controller), and >> > >> > > context(state). >> > >> > auth.add_permission(group_id, 'name', 'object', record_id) >> > >> > In the above, 'object' can be any user-defined object, not just a DB >> table >> > (record_id is only relevant if the object is a table). Does that help? >> > >> > > Although the type(controller) access control is currently implemented >> > > via decorators in web2py, this is restricted to coders. >> > >> > You don't have to use decorators. You can directly check for permissions >> via >> > auth.has_membership() and auth.has_permission(). >> > >
