Hello.

(Cezary has just confirmed that he meant to say repoze.what. Sorry about the 
confusion)

Cezary said:
> I'd like to extend basic user model available in repoze, and add additional
> class called "Gallery".
> this addition is needed because I'd like to create an app for photo
> galleries. I'd like to have one user have access to many galleries and have
> different roles in each of them (i.e user could be the admin in the gallery
> he owns, could be able to view the other one, and could be able to add
> photos to the another). so I think I should have different user-group
> relationship for each site (which I assume means that I need ternary
> relationship between user, gallery and site.
> group-permission relationship could stay as it is now because group types
> (i.e. admin, guest, friend) stay the same in the whole application.
> i'd be grateful for any suggestions how this should be achieved "the right
> way" using repoze.

I don't think there would be a "right way" to use repoze.what here. At least 
what you describe sounds sensible to me.

The goal of repoze.what 1.X is to provide reusable objects that check for 
conditions (aka "predicate checkers"), whose result is in turn used to decide 
whether authorization can be granted -- the built-in users/groups/permissions 
implementation can be seen as an "add-on" for convenience, so it's optional.

Keep in mind that you'll need to write some predicate checkers [1]. For 
example, if you have two roles for the galleries (e.g., owner and editor), 
you'd write something like this:
"""
class is_gallery_owner(Predicate):
    message = "The current user should own the %(gallery_name)s gallery"

    def evaluate(self, environ, credentials):
        # Retrieving the current gallery from the URL
        # e.g., http://example.org/galleries/{gallery_name}
        variables = self.parse_variables(environ)
        gallery_name = variables['named_args'].get("gallery_name")
        gallery = DBSession.query(Gallery).get(gallery_name)
        # Checking if the current user is the owner of `gallery`
        user_id = credentials.get("repoze.what.userid")
        if user_id != gallery.owner_id:
            self.unmet(gallery_name=gallery_name)

class is_gallery_editor(Predicate):
    message = "The current user should be the editor of the " \
              "%(gallery_name)s gallery"

    def evaluate(self, environ, credentials):
        # Retrieving the current gallery from the URL
        # e.g., http://example.org/galleries/{gallery_name}
        variables = self.parse_variables(environ)
        gallery_name = variables['named_args'].get("gallery_name")
        gallery = DBSession.query(Gallery).get(gallery_name)
        # Checking if the current user is the editor of `gallery`
        user_id = credentials.get("repoze.what.userid")
        if user_id != gallery.editor_id:
            self.unmet(gallery_name=gallery_name)

# Note: you could move the redundant code into a base class, which would be
# extended by is_gallery_owner and is_gallery_editor.

# Let's create a short-cut to check when someone can manage a gallery:
can_manage_gallery = Or(is_gallery_owner(), is_gallery_editor())
"""

Then you could use it in your controllers, like this:
"""
@ActionProtector(Or(is_user("admin"), can_manage_gallery))
def edit_gallery(self, gallery_name):
    # If reached this point, the user is the gallery's owner, its editor
    # or the site's administrator.

@ActionProtector(Or(is_user("admin"), is_gallery_owner()))
def delete_gallery(self, gallery_name):
    # Only the gallery's owner and the site's admin can remove a gallery.

@ActionProtector(not_anonymous())
def add_photo(self, gallery_name, photo):
    # Any registered user can upload photos.
"""

You may find these links useful:
http://what.repoze.org/docs/1.x/Manual/Predicates/Writing.html
http://code.gustavonarea.net/repoze.what-pylons/Manual/Protecting.html

HTH.

[1] http://what.repoze.org/docs/1.x/Manual/Predicates/index.html
-- 
Gustavo Narea <xri://=Gustavo>.
| Tech blog: =Gustavo/(+blog)/tech  ~  About me: =Gustavo/about |
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to