On Mon, Apr 27, 2009 at 5:15 AM, Gustavo Narea <m...@gustavonarea.net> wrote: > Hola, Jorge. > > On Monday April 27, 2009 10:42:35 Jorge Vargas wrote: >> more interesting than that template_vars.tg.identity returns None when >> the user isn't logged on. which means you will have to precheck all >> your access tests in something along the lines of >> >> if tg.identity and tg.identity['user'] == "something" >> >> which is too weird. > > You could turn the repoze.who identity dict into a TG2 Bunch and customize > that too. > > >> on top of that it seems to me that checks in the form of are simply not >> possible py:if="'admin' in tg.identity.groups"" > > It's always been discouraged to deal with that repoze.what stuff directly, > as it's going to change somewhere in v1.X and disappear in v2 -- it's > something > internal to repoze.what. > I think you missed the point. by "Identity" I'm not talking about repoze.who.identity dict, I'm talking about the concept of allowing you to evaluate your object with pythonic calls. "if user in group" type of thing.
> >> is there an obvious way of doing this with repoze.what that I'm >> missing? > > You have two options to do that, which are also simpler (from my point of > view): > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#predicate-evaluators is this syntax really better at the template level? <p py:if="tg.predicates.is_user('jorge')">Hi Jorge</p> I find it a lot more verbose, also isn't this evaluating the predicate twice? by the way from repoze.what.plugins.pylonshq import is_met is not the correct path. > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#boolean-predicates > could you please explain why this warning? I'm really shock here. are you telling us that the default way TG is using repoze.what will break your security? last time I read the ticket regarding this implementation it was never mention that this will be a security issue. > >> Also keep in mind this is pure syntax sugar as the real >> security check was done in the controller. Last but not least is this >> a class that is worth including in r.what? or should we keep it TG >> only? IMO this api is nice enough to work on any python >> template/framework and I think it's totally worth pushing into what. > > Regarding the repoze.who identity dict, I think TG2 could turn that dict into > a > Bunch if you find it necessary. > That's a good idea but you keep telling us that's "internal" for repoze.what and we can't rely on it so why/how can we work with it if it's going away? > Regarding accessing the repoze.what credentials dict, it shouldn't be > supported > because it's not intended to be used directly. Instead, I'd recommend > predicate > evaluators -- and TG2 could have a short-cut to is_met() and not_met() in the > template. What's so wrong with making the predicates behave like boolean objects? > > HTH, > -- > Gustavo Narea <xri://=Gustavo>. > | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | > _______________________________________________ > Repoze-dev mailing list > Repoze-dev@lists.repoze.org > http://lists.repoze.org/listinfo/repoze-dev > _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
