From e6e4f655f2abe8d1d5ff63ecd70255094af6de73 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Fri, 12 Feb 2016 01:09:01 -0600
Subject: let's go ahead and bite off more than we can chew by adding
 object-security

we'll allow anyone to create pages, not just editors

finally we'll allow page creators of pages to edit their pages even if
they are not editors
---
 docs/tutorials/wiki2/design.rst | 82 ++++++++++++++++++++++++-----------------
 1 file changed, 48 insertions(+), 34 deletions(-)

(limited to 'docs/tutorials/wiki2/design.rst')

diff --git a/docs/tutorials/wiki2/design.rst b/docs/tutorials/wiki2/design.rst
index 8e3bb4c13..42f06f7bf 100644
--- a/docs/tutorials/wiki2/design.rst
+++ b/docs/tutorials/wiki2/design.rst
@@ -19,11 +19,17 @@ Models
 We'll be using an SQLite database to hold our wiki data, and we'll be using
 :term:`SQLAlchemy` to access the data in this database.
 
-Within the database, we define a single table named `pages`, whose elements
-will store the wiki pages.  There are two columns: `name` and `data`.
+Within the database, we will define two tables:
 
-URLs like ``/PageName`` will try to find an element in the table that has a
-corresponding name.
+- The `users` table which will store the `name`, `password_hash` and `role`.
+- The `pages` table, whose elements will store the wiki pages.
+  There are three columns: `name`, `data` and `creator_id`.
+
+There is a one-to-many relationship between `users` and `pages` tracking
+the user who created each wiki page.
+
+URLs like ``/PageName`` will try to find an element in the `pages` table that
+has a corresponding name.
 
 To add a page to the wiki, a new row is created and the text is stored in
 `data`.
@@ -32,8 +38,8 @@ A page named ``FrontPage`` containing the text *This is the front page*, will
 be created when the storage is initialized, and will be used as the wiki home
 page.
 
-Views
------
+Wiki Views
+----------
 
 There will be three views to handle the normal operations of adding, editing,
 and viewing wiki pages, plus one view for the wiki front page. Two templates
@@ -47,33 +53,41 @@ templates.
 Security
 --------
 
-We'll eventually be adding security to our application.  The components we'll
-use to do this are below.
-
-- USERS, a dictionary mapping :term:`userids <userid>` to their corresponding
-  passwords.
-
-- GROUPS, a dictionary mapping :term:`userids <userid>` to a list of groups to
-  which they belong.
-
-- ``groupfinder``, an *authorization callback* that looks up USERS and GROUPS.
-  It will be provided in a new ``security/default.py`` subpackage and file.
-
-- An :term:`ACL` is attached to the root :term:`resource`.  Each row below
-  details an :term:`ACE`:
-
-  +----------+----------------+----------------+
-  | Action   | Principal      | Permission     |
-  +==========+================+================+
-  | Allow    | Everyone       | View           |
-  +----------+----------------+----------------+
-  | Allow    | group:editors  | Edit           |
-  +----------+----------------+----------------+
-
-- Permission declarations are added to the views to assert the security
-  policies as each request is handled.
-
-Two additional views and one template will handle the login and logout tasks.
+We'll eventually be adding security to our application.  To do this, we'll
+be using a very simple role-based security model. We'll assign a single
+role category to each user in our system.
+
+`basic`
+  An authenticated user who can view content and create new pages. A `basic`
+  user may also edit the pages they have created but not pages created by
+  other users.
+
+`editor`
+  An authenticated user who can create and edit any content in the system.
+
+In order to accomplish this we'll need to define an authentication policy
+which can identify users by their :term:`userid` and role. Then we'll
+need to define a page :term:`resource` which contains the appropriate
+:term:`ACL`:
+
++----------+--------------------+----------------+
+| Action   | Principal          | Permission     |
++==========+====================+================+
+| Allow    | Everyone           | view           |
++----------+--------------------+----------------+
+| Allow    | group:basic        | create         |
++----------+--------------------+----------------+
+| Allow    | group:editors      | edit           |
++----------+--------------------+----------------+
+| Allow    | <creator of page>  | edit           |
++----------+--------------------+----------------+
+
+Permission declarations will be added to the views to assert the security
+policies as each request is handled.
+
+On the security side of the application there are two additional views for
+handling login and logout as well as two exception views for handling
+invalid access attempts and unhandled URLs.
 
 Summary
 -------
@@ -102,7 +116,7 @@ in the following table:
 |                      |  submitted, redirect  |             |                |            |
 |                      |  to /PageName         |             |                |            |
 +----------------------+-----------------------+-------------+----------------+------------+
-| /add_page/PageName   |  Create the page      |  add_page   |  edit.jinja2   |  edit      |
+| /add_page/PageName   |  Create the page      |  add_page   |  edit.jinja2   |  create    |
 |                      |  *PageName* in        |             |                |            |
 |                      |  storage,  display    |             |                |            |
 |                      |  the edit form        |             |                |            |
-- 
cgit v1.2.3