I think your idea of having the possibility of declaring on the route config a permission that is required by all views that match that route is a reasonable thing to ask, specially from the point of view of pure route users. I made a proof of concept here:
https://github.com/cguardia/pyramid/commit/8b3220e6d3e809cceff0db88ebb6fda1607e1a62 It's possible that something similar to this could be added to Pyramid if I implement this differently, test it and document it. I could do that if you and other Pylons users or Pyramid newcomers in general think this is worthwhile. Now that you have a been through this experience, do you still think this would be a good thing for Pyramid to have? Thanks, Carlos de la Guardia On Mon, May 28, 2012 at 11:26 AM, Michael Bayer <[email protected]> wrote: > I've made a 40% effort to figure this one out but at least I've figured many > other things out without bugging the list .... (the irc channel is another > story ;) ) > > Here's a route in application.py: > > config.add_route('some_admin_thing', '/admin_something', factory=AdminUserACL) > > Here's the general idea of AdminUserACL: > > class AdminUserACL(object): > @property > def __acl__(self): > # this is programmatic based on who is logged in, > # but the end result might be: > return [ > (Allow, Authenticated, "access"), > (Allow, Authenticated, "useradmin") > ] > > def __init__(self, request): > # pull out the admin user from request, do things > > So a view that wants to require the "useradmin" permission looks like: > > @view_config(route_name='some_admin_thing', renderer='json', > request_method='GET', permission='useradmin') > def some_admin_thing(request): > # ... > > But the thing is, all views of this route should require "useradmin" > permission. I don't like that I have to split the declaration of > authorization in two places (factory on add_route(), permission on > view_config()). If I try to put "permission" or "view_permission" on the > add_route(), it wants to know the view at that point, implying I wouldn't be > able to use view_config() in the first place. Plus it appears > "view_permission" on add_route() is deprecated. > > Since what I want to do seems natural here, yet it's all explicitly > disallowed/discouraged, it suggests my understanding of things is incorrect ? > The goal here is "declare all authorization in one place". To me, > "factory" and "permission" are both dealing with authorization and it isn't > clear why add_route() can't have some default notion of "permission", > agnostic of individual views which is applied to those views. > > > > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
