Thanks a lot Chris. Now I understand it very clear. What I'm going to do is
to put a "editing" lock in one of the wiki page, all other pages allow
everyone to view and edit. Based on the tutorial of SQLAlchemy + url
dispatch Wiki , I changed the RootFactory to the following to accomplish the
task:
def __init__(self,environ):
matchdict = environ['bfg.routes.matchdict']
page = matchdict.get('pagename')
if page == "MyPage":
self.__acl__=[(Allow,Everyone,'view'),(Allow,'editor','edit')]
else:
self.__acl__=[(Allow,Everyone,'edit')]
It is just a very simple "try and see" piece of code to make sure I
understand the security description of the repoze.bfg, by adding some
trivial logic into the tutorial code . And I agree with you in a real case a
look up table is the way I should go.
On Tue, Oct 13, 2009 at 4:20 PM, Chris McDonough <chr...@plope.com> wrote:
> george hu wrote:
>
>> Okay, now I tried to change the RootFactory class as this:
>>
>> def __init__(self,environ):
>> matchdict = environ['bfg.routes.matchdict']
>> page = matchdict.get('pagename',None)
>> if page == "APage":
>> self.__acl__=[(Allow,Everyone,'view'),(Allow,'editor','edit')]
>>
>> What I want is to popup a login page for a specific pagename (APage) and
>> when it is authenticated it brings me to the edit page. It did when I tried
>> to access APage. But it did this on other pages and I couldn't access the
>> edit page even I provided correct user/password. Should I add a new factory
>> directive in ZCML say GetPage and create a Factory class GetPage in model.py
>> and put
>> page = session.query(Page).filter_by(name=matchdict['pagename']).one()
>> also the acl part in it and return the page?
>>
>
> I don't know what this means in terms of your specific application, but the
> context you return (the result of the "factory") should have "the right" ACL
> based on the elements that are matched in the matchdict. So for instance,
> for the URL pattern "/pages/:pagename"
>
> - For the URL /pages/1, "pagename" is "1".
>
> - For the URL /pages/2, "pagename" is "2".
>
> Let's say when the pagename is "1" you want to allow editors to edit and
> everyone else to view. But when the pagename is any other page name, you
> want to allow only editors to view and edit. This means that you'd do
> something like:
>
> class TheFactory(object):
> def __init__(self, environ):
> matchdict = environ['bfg.routes.matchdict']
> page = matchdict.get('pagename')
> if page == '1':
> self.__acl__ = [(Allow, 'editor', 'edit'),
> (Allow, Everyone, 'view')]
> else:
> self.__acl__ = [(Allow, 'editor', 'view'),
> (Allow, Everyone, 'view')]
>
> Obviously this won't scale for arbitrary values of "pagename" over time, so
> you'll want to keep some sort of lookup table in your database that maps
> page names to "acl names" or so, so you can attach the correct ACL. Use the
> table within the factory to compute the acl and attach it.
>
> - C
>
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
