#1 2014-11-20 15:51:14

jonjbar
Member
Registered: 2012-12-27
Posts: 37

Custom authorization: where to start ?

I'm really confused about authorization in mORMot. I'm using a TSQLHttpServer.
I understand I should use TSQLAuthUser and TSQLAuthGroup to provide per-table restrictions.
However, how to handle more complex scenarios such as for example:

* A user who created a specific TBlogArticleRecord can have CRUD right access for it while other users can only have read access on that record ?
* A user can only receive a list of the TBlogArticleRecord he has the rights to read when calling for example TBlogArticleRecord.CreateAndFillPrepare as server will filter any un-authorized records ?

Thanks for any help.

Offline

#2 2014-11-20 15:54:04

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,370
Website

Re: Custom authorization: where to start ?

Authorization is for a whole table wide.
You can not set authorization for a particular record.

If you need more tuned security, use an interface based service, and disallow the whole table reading at ORM/REST level.

Online

#3 2014-11-25 11:26:19

jonjbar
Member
Registered: 2012-12-27
Posts: 37

Re: Custom authorization: where to start ?

OK Thanks. Perhaps in a future update.

Offline

Board footer

Powered by FluxBB