Previously Chris McDonough wrote:
>      def remember(self, principal, token):
>          """ Return a set of headers suitable for 'remembering' the
>          principal on subsequent requests """
>      def forget():
>          """ Return a set of headers suitable for 'forgetting' the
>          current user on subsequent requests"""

It would be nice if there was also a handy utility function to apply
those headers to a response. I suspect that code is often repeated now.

> class IAuthorizationPolicy(Interface):
>      """ An adapter on context """
>      def permits(self, principals, permission):
>          """ Return True if any of the principals is allowed the
>          permission in the current context, else return False """
>      def principals_allowed_by_permission(self, permission):
>          """ Return a set of principal identifiers allowed by the permission 
> """

There are situations where principals_allowed_by_permission may not be
possible, or at least very expensive. In LDAP/AD environments for
example getting a list of all principles is often not doable. This
should be reflected in the API somehow. Perhaps allow for
principals_allowed_by_permission to return a value indicating it is not
willing to support this?

The same holds for the version in ISecurityPolicy.

I wonder if we should also set the exceptions that can be thrown by
those routines. Depending on the implementation that can be DB-API
exceptions, LDAP exceptions, or anything else which would mean that
people using this API will end up have to use a bare try/except.


Wichert Akkerman <>    It is simple to make things.                   It is hard to make things simple.
Repoze-dev mailing list

Reply via email to