[ckan-dev] Auth changes - branch 2939

Fri Oct 12 16:26:31 UTC 2012

On 12 October 2012 15:46, Sean Hammond <sean.hammond at okfn.org> wrote:

> > > - We still seem to be using the roles, rights and actions
> > >
> > > could you clarify?  Do you meant the ones in new_authz?
>
> Ah, I think the ROLE_PERMISSIONS dict in new_authz.py with admin, editor
> and member roles and read, update, delete_dataset etc. actions fooled
> me. But now that I look more closely, it looks like these are only used
> for a couple of groups and orgs auth functions.
>

yes that is correct

>
> So I think we need to remove the chapter in the docs about the old
> roles/actions/objects then, since ckan/authz.py is gone now. And
> probably need to write a chapter about the new system.
>

yep the docs will need some updating I'm sure

>
> I think maybe ckan/new_authz.py should be ckan/logic/auth/__init__.py,
> and some of the functions could be in ckan/logic/auth/helpers.py or
> somewhere like that, because they seem like helper functions for the
> auth functions. Except for is_authorized() itself and its helper
> is_sysadmin(), and maybe a couple of others.
>

Yes this change should happen but I think it would be better done as a
separate piece of refactoring.

It makes sense for all the auth stuff to live in logic.auth

>
> P.S. I think we could also do away with the concept of 'auth profiles'
> if it is not gone already. I saw that the publisher auth profile is
> gone. It just seems that if we have IAuthFunctions then an auth profile
> could just be an IAuthFunctions plugin that overrides all the auth
> functions. So do we need auth profiles?
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20121012/5131125b/attachment-0001.html>