[Cubicweb] security context
Christophe de Vienne
christophe at unlish.com
Sun Feb 1 23:04:24 CET 2015
At the last copil, I brought the idea of add a new notion of "security
context", associated with a connection.
This security context would be a dictionary in which keys could be used
in permissions rql expressions.
Such a context would be very useful to check permissions against
arbitrary informations orthogonal to the current user. For example, a
token that gives access to a specific resource could be used to share a
private resource via a simple url including this token.
Once such a system works, the current user (_cw.user) and its security
related attributes (groups) could be transfered to this context, making
cnx.user useless and less a problem than it is today .
Another big advantage would be that it would be easier to have an
external system providing security informations without hacking around
the user, connection and session . One could even have permissions
checking without a single CWUser in the database.
I will start working on that idea soon, but before diving into the code
I would like to hints about what parts of cubicweb do the permissions
checking with rql expressions and the current user.
Feedback on the idea are also welcome.
 The fact that an entity, _cw.user, survives all the cnx.clear()
calls is a problem in some cases (see
 I am of course thinking of pyramid_cubicweb, in which this security
context could be filled by the 'principals'
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the Cubicweb