Hello! On Wednesday April 29, 2009 12:37:02 Jorge Vargas wrote: > > On Monday April 27, 2009 10:42:35 Jorge Vargas wrote: > >> more interesting than that template_vars.tg.identity returns None when > >> the user isn't logged on. which means you will have to precheck all > >> your access tests in something along the lines of > >> > >> if tg.identity and tg.identity['user'] == "something" > >> > >> which is too weird. > > > > You could turn the repoze.who identity dict into a TG2 Bunch and > > customize that too. > > > >> on top of that it seems to me that checks in the form of are simply not > >> possible py:if="'admin' in tg.identity.groups"" > > > > It's always been discouraged to deal with that repoze.what stuff > > directly, as it's going to change somewhere in v1.X and disappear in v2 > > -- it's something internal to repoze.what. > > I think you missed the point. by "Identity" I'm not talking about > repoze.who.identity dict, I'm talking about the concept of allowing > you to evaluate your object with pythonic calls. "if user in group" > type of thing.
"Identity" is an ambiguous term, specially in this context; I'd rather hear exactly "authentication" or "authorization" -- hence I replied to both meanings just in case, because I wasn't certainly sure what you meant. > >> is there an obvious way of doing this with repoze.what that I'm > >> missing? > > > > You have two options to do that, which are also simpler (from my point of > > view): > > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#predicat > >e-evaluators > > is this syntax really better at the template level? > <p py:if="tg.predicates.is_user('jorge')">Hi Jorge</p> > > I find it a lot more verbose Yes, it is. > , also isn't this evaluating the predicate > twice? No, as far as I see. > by the way from repoze.what.plugins.pylonshq import is_met is not the > correct path. Are you using an old version of repoze.what-pylons? That function wasn't present in early betas. It works over here: """ > >>> from repoze.what.plugins import pylonshq > >>> dir(pylonshq) > ['ActionProtector', 'ControllerProtector', '__all__', '__builtins__', > '__doc__', '__file__', '__name__', '__package__', '__path__', > 'booleanize_predicates', 'debooleanize_predicates', 'is_met', 'not_met', > 'protectors', 'utils'] > >>> from repoze.what.plugins.pylonshq import is_met > >>> is_met > <function is_met at 0xa55a3e4> """ > > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#boolean- > >predicates > > could you please explain why this warning? I'm really shock here. are > you telling us that the default way TG is using repoze.what will break > your security? last time I read the ticket regarding this > implementation it was never mention that this will be a security > issue. I always warned it was a horrible idea, totally discouraged by me, which _could_ (not "will") bring side-effects and/or make the application error- prone. That warning just lists the exact situations under which there may be security flaws because of that misfeature. > >> Also keep in mind this is pure syntax sugar as the real > >> security check was done in the controller. Last but not least is this > >> a class that is worth including in r.what? or should we keep it TG > >> only? IMO this api is nice enough to work on any python > >> template/framework and I think it's totally worth pushing into what. > > > > Regarding the repoze.who identity dict, I think TG2 could turn that dict > > into a Bunch if you find it necessary. > > That's a good idea but you keep telling us that's "internal" for > repoze.what and we can't rely on it so why/how can we work with it if > it's going away? There will be a 100% backwards-compatible 1.5 release eventually, which will backport all possible enhancements from version 2.0. But repoze.what 2 won't have such a dictionary and thus it's likely* that v1.5 won't have it either (even if it keeps the dictionary, the arrangement may change). Hence I can't suggest you to use it directly. Predicate checkers are the safe bet. * repoze.what 2 is still taking shape, so at this point it's hard to tell if it'd be present in v1.5 or not. I just can assure it won't be present in v2 (in fact it's one of the main reasons why I'm rewriting it all). > > Regarding accessing the repoze.what credentials dict, it shouldn't be > > supported because it's not intended to be used directly. Instead, I'd > > recommend predicate evaluators -- and TG2 could have a short-cut to > > is_met() and not_met() in the template. > > What's so wrong with making the predicates behave like boolean objects? They make your code error-prone and may cause side-effects (e.g., security flaws) in some situations, as explained in detail in the repoze.what-pylons docs. Cheers! -- Gustavo Narea <xri://=Gustavo>. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
