On Wednesday April 29, 2009 12:37:02 Jorge Vargas wrote:
> > On Monday April 27, 2009 10:42:35 Jorge Vargas wrote:
> >> more interesting than that template_vars.tg.identity returns None when
> >> the user isn't logged on. which means you will have to precheck all
> >> your access tests in something along the lines of
> >>
> >> if tg.identity and tg.identity['user'] == "something"
> >>
> >> which is too weird.
> >
> > You could turn the repoze.who identity dict into a TG2 Bunch and
> > customize that too.
> >
> >> on top of that it seems to me that checks in the form of are simply not
> >> possible py:if="'admin' in tg.identity.groups""
> >
> > It's always been discouraged to deal with that repoze.what stuff
> > directly, as it's going to change somewhere in v1.X and disappear in v2
> > -- it's something internal to repoze.what.
> I think you missed the point. by "Identity" I'm not talking about
> repoze.who.identity dict, I'm talking about the concept of allowing
> you to evaluate your object with pythonic calls. "if user in group"
> type of thing.

"Identity" is an ambiguous term, specially in this context; I'd rather hear 
exactly "authentication" or "authorization" -- hence I replied to both 
meanings just in case, because I wasn't certainly sure what you meant.

> >> is there an obvious way of doing this with repoze.what that I'm
> >> missing?
> >
> > You have two options to do that, which are also simpler (from my point of
> > view):
> > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#predicat
> >e-evaluators
> is this syntax really better at the template level?
> <p py:if="tg.predicates.is_user('jorge')">Hi Jorge</p>
> I find it a lot more verbose

Yes, it is.

> , also isn't this evaluating the predicate
> twice?

No, as far as I see.

> by the way from repoze.what.plugins.pylonshq import is_met is not the
> correct path.

Are you using an old version of repoze.what-pylons? That function wasn't 
present in early betas.

It works over here:
> >>> from repoze.what.plugins import pylonshq
> >>> dir(pylonshq)
> ['ActionProtector', 'ControllerProtector', '__all__', '__builtins__',
>  '__doc__', '__file__', '__name__', '__package__', '__path__',
>  'booleanize_predicates', 'debooleanize_predicates', 'is_met', 'not_met',
>  'protectors', 'utils']
> >>> from repoze.what.plugins.pylonshq import is_met
> >>> is_met
> <function is_met at 0xa55a3e4>

> > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#boolean-
> >predicates
> could you please explain why this warning? I'm really shock here. are
> you telling us that the default way TG is using repoze.what will break
> your security? last time I read the ticket regarding this
> implementation it was never mention that this will be a security
> issue.

I always warned it was a horrible idea, totally discouraged by me, which 
_could_ (not "will") bring side-effects and/or make the application error-

That warning just lists the exact situations under which there may be security 
flaws because of that misfeature.

> >> Also keep in mind this is pure syntax sugar as the real
> >> security check was done in the controller. Last but not least is this
> >> a class that is worth including in r.what? or should we keep it TG
> >> only? IMO this api is nice enough to work on any python
> >> template/framework and I think it's totally worth pushing into what.
> >
> > Regarding the repoze.who identity dict, I think TG2 could turn that dict
> > into a Bunch if you find it necessary.
> That's a good idea but you keep telling us that's "internal" for
> repoze.what and we can't rely on it so why/how can we work with it if
> it's going away?

There will be a 100% backwards-compatible 1.5 release eventually, which will 
backport all possible enhancements from version 2.0. But repoze.what 2 won't 
have such a dictionary and thus it's likely* that v1.5 won't have it either 
(even if it keeps the dictionary, the arrangement may change).

Hence I can't suggest you to use it directly. Predicate checkers are the safe 

* repoze.what 2 is still taking shape, so at this point it's hard to tell if 
it'd be present in v1.5 or not. I just can assure it won't be present in v2 
(in fact it's one of the main reasons why I'm rewriting it all).

> > Regarding accessing the repoze.what credentials dict, it shouldn't be
> > supported because it's not intended to be used directly. Instead, I'd
> > recommend predicate evaluators -- and TG2 could have a short-cut to
> > is_met() and not_met() in the template.
> What's so wrong with making the predicates behave like boolean objects?

They make your code error-prone and may cause side-effects (e.g., security 
flaws) in some situations, as explained in detail in the repoze.what-pylons 

Gustavo Narea <xri://=Gustavo>.
| Tech blog: =Gustavo/(+blog)/tech  ~  About me: =Gustavo/about |
Repoze-dev mailing list

Reply via email to