+1 to Mike's 6/21 post. I really couldn't say any of that better; 90% of
it is things that have occurred to me in my own work; I can't really think
of anything to add to the discussion. I'm not sure there's any great and
terrible need to change anything, but it would be very good to keep the
perspective he's presenting in consideration. Pyramid is doing a pretty
great job of being many things to many people, and I happen to think that
the points Mike illustrates are some of the more noteworthy places were it
does seem to strain just a little to do it.
On Monday, May 28, 2012 9:26:52 AM UTC-7, mike bayer wrote:
>
> I've made a 40% effort to figure this one out but at least I've figured
> many other things out without bugging the list .... (the irc channel is
> another story ;) )
>
> Here's a route in application.py:
>
> config.add_route('some_admin_thing', '/admin_something',
> factory=AdminUserACL)
>
> Here's the general idea of AdminUserACL:
>
> class AdminUserACL(object):
> @property
> def __acl__(self):
> # this is programmatic based on who is logged in,
> # but the end result might be:
> return [
> (Allow, Authenticated, "access"),
> (Allow, Authenticated, "useradmin")
> ]
>
> def __init__(self, request):
> # pull out the admin user from request, do things
>
> So a view that wants to require the "useradmin" permission looks like:
>
> @view_config(route_name='some_admin_thing', renderer='json',
> request_method='GET', permission='useradmin')
> def some_admin_thing(request):
> # ...
>
> But the thing is, all views of this route should require "useradmin"
> permission. I don't like that I have to split the declaration of
> authorization in two places (factory on add_route(), permission on
> view_config()). If I try to put "permission" or "view_permission" on the
> add_route(), it wants to know the view at that point, implying I wouldn't
> be able to use view_config() in the first place. Plus it appears
> "view_permission" on add_route() is deprecated.
>
> Since what I want to do seems natural here, yet it's all explicitly
> disallowed/discouraged, it suggests my understanding of things is incorrect
> ? The goal here is "declare all authorization in one place". To me,
> "factory" and "permission" are both dealing with authorization and it isn't
> clear why add_route() can't have some default notion of "permission",
> agnostic of individual views which is applied to those views.
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/pylons-discuss/-/nfPf-78dTkQJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
