3

Having settled on OpenID for authentication, I've been looking at authorisation frameworks for app-engine with the following requirements:

  • be able to create and edit groups of users
  • has built in permissions such as add, edit, delete
  • has sensible defaults, e.g creator of an object can edit / delete but others can't

knowing enough to know that security permissions are a bad idea to self implement without a massive brain, i've been reading through django http://docs.djangoproject.com/en/dev/topics/auth/ and tipfy http://www.tipfy.org/wiki/extensions/acl/ to choose one that has already been cooking in the oven for a while.

It's not obvious which will be easier / more extensible so I was hoping to be able to call on experience, recommendations or other suggestions to make a sensible decision?

probably at the beach
  • 14,489
  • 16
  • 75
  • 116
  • 1
    "knowing enough to know that security permissions are a bad idea to self implement without a massive brain" - I think you're confusing that with implementing cryptographic security. There's nothing particularly complicated about rolling your own permissions system. – Nick Johnson Apr 15 '11 at 01:55
  • @Nick Johnson yes cryptography is hard too but having been a pen tester in my previous life, I can say from experience that many people get authorisation very wrong. – probably at the beach Apr 15 '11 at 10:44
  • I agree, but I don't think a pre-rolled authorisation library is going to help those people much. – Nick Johnson Apr 18 '11 at 00:59

2 Answers2

2

Based on that there are a lot of problems with django ORM and Google app engine datastore, and http://www.tipfy.org/ says that it is made specifically for Google App Engine I must suggest typfy.

zerofuxor
  • 336
  • 2
  • 8
1

2 pretty good frameworks I tried that have authorisation are GAEFramework and web2py. They are both easier to get started with than tipfy. I hope you like these.

Niklas Rosencrantz
  • 25,640
  • 75
  • 229
  • 424