Role-based authorization mechanism for a GAE app

Question

I'm looking for a role-based framework/module/package for an app written in Python (2.7) running on Google App Engine.

With role-based I mean a mechanism that would allow me to check (during a request processing most of the time) whether a certain user is able to perform a specific action.

A couple use cases:

• user A should be able to see and modify own profile, whereas user B should only be able to see user A profile.
• user with an "admin" role should be able to see all registered users, whereas user A and user B should only be able to see users with a public profile (e.g. users with user.public property set to True)
• etc.

I'm imagining something like

user_a.is_able_to('read', user_b) # -> True of False

or

user_a.authorize('update', user_b) # raises an exception if 'not allowed to'

So far I've only seen acl.py from tipfy. Looks quite simple and pretty much close to what I'm looking for. I'm wondering whether there's something similar to that acl.py, preferably implemented using NDB.

Answer 1

Web2py contains role based access control which I believe works on GAE. This is documented here:

http://web2py.com/books/default/chapter/29/9

You may be able to fork the auth module and mod it for your purposes. I know people have done this with other parts of web2py such as the DAL.