I'm sorry about the big delay, I had little time to work on this lately.

On Monday January 26, 2009 20:03:20 Tres Seaver wrote:
> I would make 'check_authorization' call a new method
> 'evaluate_with_variables', which just passes through to 'evaluate' in
> the base class (Predicate):  people could override it to do the extra
> checking.  The cost is one extra function call for those not using the
> indirection, but preserves backward compatibility.

Thanks for that, Tres! I solved this inspired by your suggestion: I added a 
method which returns the POST and GET variables, so that you can use it as in:

    from repoze.what.predicates import Predicate
    # Say you use SQLAlchemy:
    from yourcoolapplication.model import BlogPost, DBSession
    class post_is_managed_by_author(Predicate):
        message = 'Only %(author)s can manage post %(post_id)s'
        def evaluate(self, environ, credentials):
            # Extracting the post Id from the GET variables
            vars = self.get_variables(environ)
            post_id = vars.get.get('post_id')
            # Loading the post object
            post = DBSession.query(BlogPost).get(post_id)
            # Checking if it's the author
            if post.author_userid != credentials.get('repoze.what.userid'):
                self.unmet(post_id=post_id, author=post.author_userid)

Then you can build the following compound predicates:

    from repoze.what.predicates import All, has_permission
    # Can the user edit the post?
    p1 = All(has_permission('edit-posts'), post_is_managed_by_author())
    # Can the user delete the post?
    p2 = All(has_permission('delete-posts'), post_is_managed_by_author())

This way backwards compatibility is not broken.

It will be available in repoze.what 1.0.4, which I hope to release tomorrow.

What do you people think about it?

Gustavo Narea <http://gustavonarea.net/>.

Get rid of unethical constraints! Get freedomware:
Repoze-dev mailing list

Reply via email to