On 06/20/2012 08:22 PM, Carlos de la Guardia wrote:
I think your idea of having the possibility of declaring on the route
config a permission that is required by all views that match that
route is a reasonable thing to ask, specially from the point of view
of pure route users. I made a proof of concept here:
https://github.com/cguardia/pyramid/commit/8b3220e6d3e809cceff0db88ebb6fda1607e1a62
It's possible that something similar to this could be added to Pyramid
if I implement this differently, test it and document it. I could do
that if you and other Pylons users or Pyramid newcomers in general
think this is worthwhile.
Now that you have a been through this experience, do you still think
this would be a good thing for Pyramid to have?
Thanks,
Carlos de la Guardia
On Mon, May 28, 2012 at 11:26 AM, Michael Bayer
<[email protected]> wrote:
I've made a 40% effort to figure this one out but at least I've figured many
other things out without bugging the list .... (the irc channel is another
story ;) )
Here's a route in application.py:
config.add_route('some_admin_thing', '/admin_something', factory=AdminUserACL)
Here's the general idea of AdminUserACL:
class AdminUserACL(object):
@property
def __acl__(self):
# this is programmatic based on who is logged in,
# but the end result might be:
return [
(Allow, Authenticated, "access"),
(Allow, Authenticated, "useradmin")
]
def __init__(self, request):
# pull out the admin user from request, do things
So a view that wants to require the "useradmin" permission looks like:
@view_config(route_name='some_admin_thing', renderer='json',
request_method='GET', permission='useradmin')
def some_admin_thing(request):
# ...
But the thing is, all views of this route should require "useradmin" permission. I don't like that I have
to split the declaration of authorization in two places (factory on add_route(), permission on view_config()). If I
try to put "permission" or "view_permission" on the add_route(), it wants to know the view at that
point, implying I wouldn't be able to use view_config() in the first place. Plus it appears
"view_permission" on add_route() is deprecated.
Since what I want to do seems natural here, yet it's all explicitly disallowed/discouraged, it suggests my
understanding of things is incorrect ? The goal here is "declare all authorization in one place". To me,
"factory" and "permission" are both dealing with authorization and it isn't clear why add_route()
can't have some default notion of "permission", agnostic of individual views which is applied to those views.
I'll note that in this case, you could use a class based view as both
the factory and as the view:
from pyramid.view import view_defaults
from pyramid.view import view_config
from pyramid.security import Allow, Authenticated
@view_defaults(route_name='some_admin_thing', renderer='json',
permission='useradmin')
class UserAdmin(object):
def __init__(self, request):
self.request = request
@property
def __acl__(self):
# this is programmatic based on who is logged in,
# but the end result might be:
return [
(Allow, Authenticated, "access"),
(Allow, Authenticated, "useradmin")
]
@view_config(request_method='GET')
def GET(self):
# ...
@view_config(request_method='POST')
def POST(self):
# ...
and in the config...
config.add_route('some_admin_thing', '/admin_something',
factory=UserAdmin)
All of the views hanging off the UserAdmin object will be protected by
useradmin permission, and an instance of UserAdmin will also be used as
the context, which will put all of the security stuff in the same place,
albeit associated transitively via the 'some_admin_thing' route name.
- C
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
