I've made a 40% effort to figure this one out but at least I've figured many
other things out without bugging the list .... (the irc channel is another
story ;) )
Here's a route in application.py:
config.add_route('some_admin_thing', '/admin_something', factory=AdminUserACL)
Here's the general idea of AdminUserACL:
class AdminUserACL(object):
@property
def __acl__(self):
# this is programmatic based on who is logged in,
# but the end result might be:
return [
(Allow, Authenticated, "access"),
(Allow, Authenticated, "useradmin")
]
def __init__(self, request):
# pull out the admin user from request, do things
So a view that wants to require the "useradmin" permission looks like:
@view_config(route_name='some_admin_thing', renderer='json',
request_method='GET', permission='useradmin')
def some_admin_thing(request):
# ...
But the thing is, all views of this route should require "useradmin"
permission. I don't like that I have to split the declaration of
authorization in two places (factory on add_route(), permission on
view_config()). If I try to put "permission" or "view_permission" on the
add_route(), it wants to know the view at that point, implying I wouldn't be
able to use view_config() in the first place. Plus it appears
"view_permission" on add_route() is deprecated.
Since what I want to do seems natural here, yet it's all explicitly
disallowed/discouraged, it suggests my understanding of things is incorrect ?
The goal here is "declare all authorization in one place". To me, "factory"
and "permission" are both dealing with authorization and it isn't clear why
add_route() can't have some default notion of "permission", agnostic of
individual views which is applied to those views.
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
