Best practice designing a permission system

Question

I'm currently developing a little Python website using Pyramid.
But I don't know how to design the permission system.
The System should be very flexible: I have to establish connections between many different tables.
Instead of writing one permission table for every variant i thought to just create one table - I call it PermissionCollection:

PermissionCollection:

• permissionCollectionId - PrimaryKey
• onType = ENUM("USER","TEACHER","GROUP","COURSE"...)
• onId = Integer

and the Permission table:

• permissionId - PrimaryKey
• key
• value
• permissionCollectionId - ForeignKey

I'll define standard PermissionCollections for every possible relationship hard-coded in sources and if a user,course,teacher... has special rights i'll create a new PermissionCollection and add the permission to it.

I'm very new to web programming, and don't know if this approach is useful. Or if something like this even exists. I think the Pyramid ACL isn't the right tool for this task, is it?

Answer 1

Not sure if you read about it already but pyramid does come with a really nice permission system. Authorization with ACL.

How to handle it, it really only depend of you... You could have a ACL table

(object_id, allow/deny, who?(group, userid), permission, order)

• object_id is a unique id to a record in your database
• allow/deny is what this ACE is supposed to do...allow or deny access
• who? is either a group, username or whatever you want for example system.everyone is everyone
• permission is the permission parameter in view_config
• order is one important thing order does matter

For example

__acl__ = [
(Deny, Everyone, 'view'),
(Allow, 'group:admin', 'view')
]

This sample will always deny view even for admin... As soon as pyramid find something that tells you if you can see or not see a record it automatically stop searching

__acl__ = [
(Allow, 'group:admin', 'view'),
(Deny, Everyone, 'view')
]

This will allow view for every admin but not for anyone else. That is why you have to remember the order of your ACEs.

The fun part is here actually. This is all good. You have acl mapped to a record in your data. When you load for example a page... You will have to load the acl and set them in your object.

myobject.__acl__ = load_acls(myobject) 

If you have a data tree. You can even not set acls.

For example you have a site that looks like that

root
  \--pages with acl
      +---- page1  without acl
      \---- page2  with acl

When you will access page1, it will check for acl if it can't find it, it will check for parent if parent has an acl, it will check permission for it, if it doesn't it will check for its parent until you reach root. If it can't find the permission, im not so sure what happens.. I guess it will either give you a forbidden error or predicate error. That it can't find the proper view.

That said, in order to make that work you have to make location aware object that knows their parents.

But why would you want to do all that?

You can have acl for any object and have really fine grained control on who can watch or not every object in your database. You can also put acl directly in your class object without database.

as long as your acl is in the attribute acl pyramid will be able to do something with it. It's not really important how you got it.

Check this out

http://pyramid.readthedocs.org/en/1.3-branch/tutorials/wiki/authorization.html