Hello, I'm sorry about the big delay, I had little time to work on this lately.
On Monday January 26, 2009 20:03:20 Tres Seaver wrote: > I would make 'check_authorization' call a new method > 'evaluate_with_variables', which just passes through to 'evaluate' in > the base class (Predicate): people could override it to do the extra > checking. The cost is one extra function call for those not using the > indirection, but preserves backward compatibility. Thanks for that, Tres! I solved this inspired by your suggestion: I added a method which returns the POST and GET variables, so that you can use it as in: from repoze.what.predicates import Predicate # Say you use SQLAlchemy: from yourcoolapplication.model import BlogPost, DBSession class post_is_managed_by_author(Predicate): message = 'Only %(author)s can manage post %(post_id)s' def evaluate(self, environ, credentials): # Extracting the post Id from the GET variables vars = self.get_variables(environ) post_id = vars.get.get('post_id') # Loading the post object post = DBSession.query(BlogPost).get(post_id) # Checking if it's the author if post.author_userid != credentials.get('repoze.what.userid'): self.unmet(post_id=post_id, author=post.author_userid) Then you can build the following compound predicates: from repoze.what.predicates import All, has_permission # Can the user edit the post? p1 = All(has_permission('edit-posts'), post_is_managed_by_author()) # Can the user delete the post? p2 = All(has_permission('delete-posts'), post_is_managed_by_author()) This way backwards compatibility is not broken. It will be available in repoze.what 1.0.4, which I hope to release tomorrow. What do you people think about it? Cheers. -- Gustavo Narea <http://gustavonarea.net/>. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev