Ticket #114 (closed enhancement: fixed)
Access Control - model
| Reported by: | dread | Owned by: | dread |
|---|---|---|---|
| Priority: | major | Milestone: | v0.10 |
| Component: | ckan | Keywords: | |
| Cc: | Repository: | ||
| Theme: |
Description (last modified by dread) (diff)
Create in the model basic operation of Access Control.
roles table
name | context | action ----------------------- admin| package | edit admin| package | edit-permissions admin| package | read editor| package | update editor| package | read reader| package | read This data is set-up on db init and will have no interface.
user-roles table:
username | context_type | objectid | role rgrp | system | n/a | admin visitor | package | * | reader bob | package | geonames | admin visitor | package | geonames | editor visitor | package | geonames | reader john | group | ukgov | admin dread | group | ukgov | editor visitor | group | ukgov | reader This data will be added when someone is given permissions for the system, a package or a group.
Pseudo code:
class Package
def is_allowed(name, action):
is_allowed(name, action, context=self)
class Group
def is_allowed(name, action):
is_allowed(name, action, context=self)
def is_allowed(name, action, context=None): name: string - a username or IP for 'visitor'
action: string - 'read', 'edit', 'delete', 'edit-permissions' context: object - a Group or a Package or None (which means system)
# look up user from name. # look up in user-roles table what roles this user has for this context. # for each roles, look up in roles table what actions are allowed. # return True if action is allowed, else False.
Change History
comment:2 Changed 5 years ago by dread
- Status changed from new to closed
- Resolution set to fixed
Done in cset:895ae4371377. Remaining problem in WUI for revision purging. Have not implemented functionality to cope with blank objectid in user-roles table. Adding group access control will be in future ticket.
