user authorization (with one time login) in a Python desktop application ?

Tim Golden mail at timgolden.me.uk
Sun Sep 27 18:09:42 CEST 2009


Steven D'Aprano wrote:
> On Sun, 27 Sep 2009 16:11:52 +0200, Stef Mientki wrote:
> 
>> I've a Python desktop application, running under Widows, that stores the
>> data in a central SQLite database.
>>
>> Depending on the user login on the system, some of the data from the
>> database is allowed and other data is forbidden.

> What is your threat model? What are you trying to protect against?


[... snip further stuff from Stephen, usefully requiring
clarification if ideas from the OP ...]

As a general rule within Windows, you let Windows do the
authentication for you and you base your authorisation on
the presence or otherwise of certain security groups in
user's token. You can get hold of the token via -- in
Python -- the win32security module, whose functionality
you can supplement if needed by using the ctypes model
to map in API functions which aren't already exposed.

The kind of thing you might do here -- altho' it obviously
depends on your particular situation -- would be to store
a security group's identifier (name or SID) in some sort
of roles-or-permissions table, requiring that to perform
function X, the user must be in group Y. A logged on user
either is or isn't in that group.

Obviously, as was pointed out, if your users are so
untrustworthy, they might steal or guess each other's
logon details, but at that point you've got problems far
more serious than merely the data your sqlite database
represents.

TJG



More information about the Python-list mailing list