Manage authorization / scope in a web application

Question

Manage authorization / scope in a web application

Every discussion or tutorial I've ever come across has related to authorization, related to simple binary authorization. Can I edit pages in a blogging application? Can the user approve the comments? Simple examples.

What I have not seen much are more complex permission-based "examples". Can the user edit this page? Can the user confirm this comment? ... where the user has permission to perform actions on certain records, but not all.

Are there common approaches to this problem? Any good examples? I can crack various simple solutions, but I don’t like the feeling that I am reinventing the wheel.

FWIW, the current application I'm dealing with, is built in Python Pylons.

+4

web-applications authorization

keithjgrant Feb 06 '11 at 10:10

source share

2 answers

Yes, I sometimes come across this. You can look and see if Python has something similar to the GACL that PHP has. But this may be redundant.

If you come across this a lot, I would use an ACL and just reuse it. Of course you use the same structure.

+1

Chuck morris Feb 06 '11 at 22:16

source share

hvgotcodes · Accepted Answer · 2011-02-06T22:27:30+0000

I saw how this is done in two ways:

In a model with a rich domain, a mutable object can perform a security check (the object can be placed in read-only mode when the user does not have the right to edit it, and would choose an exception differently, for example).
In an anemic domain model, verification is performed by the service working on the object (or a collaborative security service).

Both approaches require work.

Manage authorization / scope in a web application

More articles: