开发者

Controlling authorization/scope in a web application

Every discussion or tutorial I've ever come across about authorization has only dealt with simple binary authorization. In a blogging application, can the user edit pages? Can the user approve comments? Simple examples like that.

What I haven't seen a lot of is more complex "scope"-based authorization examples. Can the user edit this page? Can the user approve this comment? ...where the user has permission to perform actions on certain records, but not all.

Are there common approaches to this problem? Any good examples? I can whip up various simple solutions, but I hate feeling like I'm reinventing the wheel.

FWIW, the current application I'm d开发者_运维问答ealing with is build in Python Pylons.


Ive seen it done 2 ways:

  1. In a rich-domain model, the object being changed can do the security check (the object could be put into a read-only mode when the user was not authorized to edit it, and would throw an exception otherwise, for example).
  2. In an anemic-domain model, the check is done by the service operating on the object (or a collaborating security service).

Both approaches required work.


Yeah, I run across this once in a while. You can take a look and see if Python has something similar to GACL that PHP has. But that might be overkill.

If you run across this a lot, I'd implement an ACL and just reuse it. Granted you are using the same framework.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜