Changes between Initial Version and Version 1 of GenericAuthorization


Ignore:
Timestamp:
May 28, 2006, 1:31:02 PM (18 years ago)
Author:
jkocherhans
Comment:

initial revision

Legend:

Unmodified
Added
Removed
Modified
  • GenericAuthorization

    v1 v1  
     1= Authorization =
     2
     3[[TOC(inline, GenericAuthorization)]]
     4
     5== Proposal ==
     6
     7As part of Google's 2006 Summer of Code, Joseph Kocherhans will be implementing a more flexible authorization system for Django. The new system should allow for ACL's, role-based systems, and Django's current model-level permissions.  {{{peak.security}}} http://peak.telecommunity.com/DevCenter/SecurityRules will be used as a basic model, but things will be made more django-like where it makes sense.
     8
     9Currently Django's authentication system is tied directly to the User model from django.contrib.auth. Also, there is no way to allow for row-level permissions. Authentication checks will be changed to use a new generic function:
     10
     11{{{
     12#!python
     13has_permission(user, permission, object)
     14}}}
     15
     16This function will delegate to other functions based on the type of user, permission and object that are passed to it. This will allow the use of different types of security rules depending on the type of object being accessed, as well as allowing for new user objects that don't need to fulfill the whole {{{django.contrib.auth.models.User}}} interface. You can even create rules that don't depend on the default permission table in the database.
     17
     18== Scope ==
     19
     20The scope of this project is limited to providing the underlying support for making ACL's, etc possible, not actually implementing such policies. A policy that mimicks Django's model-level permission system will be included though.
     21
     22
     23== Usage ==
     24=== Checking a permission ===
     25
     26{{{
     27#!python
     28from django.contrib.auth import has_permission
     29if has_permission(user, permission, object):
     30    # do something
     31}}}
     32
     33
     34=== Adding new rules ===
     35
     36Here's an example of the low level api for adding new security rules. In reality, this will probably happen under the covers via new Meta settings, but this will be discussed later, probably after the low level stuff has been implemented and tested.
     37
     38{{{
     39#!python
     40from django.contrib.auth.models import User
     41from django.contrib.auth import has_permission
     42
     43def default_has_permission(user, permission, object=None):
     44    return user.has_perm(permission)
     45
     46has_permission.register(default_has_permission, User)
     47}}}
     48
     49This is fairly close to what it would look like to implement django's current security policy. The object isn't really important in this case since Django's permissions are based on the Model you're accessing, not the actual object (See RowLevelPermissions for object-specific permissions.) We is we pass more than just {{{User}}} to the register method, we can register different security rules for different Models.
     50
     51
     52== Implementation ==
     53
     54{{{has_permission}}} will be implemented as a class with a {{{register}}} method and a {{{__call__(self, user, permission, object)}}} method.
     55
     56This method is similar to Philip J. Eby's [RuleDispatch http://peak.telecommunity.com/PyCon05Talk/] and Guido van Rossum's recent work on generic/overloaded functions. See references for examples.
     57
     58== Roadmap ==
     59
     60Here's a simple roadmap for this project. I'll try to keep it as up to date as possible, noting changeset numbers as tasks are completed.
     61
     62|| Task || Status ||
     63|| Implement and test the has_permission generic function. || Not Started ||
     64|| Implement a function to mimic Django's current authorization. || Not Started ||
     65|| Update the admin system to use {{{has_permission}}} and test. || Not Started ||
     66|| Update other views/decorators to use {{{has_permission}}} and test. || Not Started ||
     67|| Revise this page and integrate into core django docs. (Is this allowed for SoC, I'l let my mentor decide, if not, I'll just do it after SoC is over) || Not Started ||
     68
     69
     70== References ==
     71
     72 - http://svn.python.org/view/sandbox/trunk/overload/
     73 - http://www.artima.com/weblogs/viewpost.jsp?thread=155123
     74 - http://www.artima.com/weblogs/viewpost.jsp?thread=155514
     75
Back to Top