I'm sorry about the big delay, I had little time to work on this lately.
On Monday January 26, 2009 20:03:20 Tres Seaver wrote:
> I would make 'check_authorization' call a new method
> 'evaluate_with_variables', which just passes through to 'evaluate' in
> the base class (Predicate): people could override it to do the extra
> checking. The cost is one extra function call for those not using the
> indirection, but preserves backward compatibility.
Thanks for that, Tres! I solved this inspired by your suggestion: I added a
method which returns the POST and GET variables, so that you can use it as in:
from repoze.what.predicates import Predicate
# Say you use SQLAlchemy:
from yourcoolapplication.model import BlogPost, DBSession
message = 'Only %(author)s can manage post %(post_id)s'
def evaluate(self, environ, credentials):
# Extracting the post Id from the GET variables
vars = self.get_variables(environ)
post_id = vars.get.get('post_id')
# Loading the post object
post = DBSession.query(BlogPost).get(post_id)
# Checking if it's the author
if post.author_userid != credentials.get('repoze.what.userid'):
Then you can build the following compound predicates:
from repoze.what.predicates import All, has_permission
# Can the user edit the post?
p1 = All(has_permission('edit-posts'), post_is_managed_by_author())
# Can the user delete the post?
p2 = All(has_permission('delete-posts'), post_is_managed_by_author())
This way backwards compatibility is not broken.
It will be available in repoze.what 1.0.4, which I hope to release tomorrow.
What do you people think about it?
Gustavo Narea <http://gustavonarea.net/>.
Get rid of unethical constraints! Get freedomware:
Repoze-dev mailing list