Thanks a lot Chris. Now I understand it very clear. What I'm going to do is
to put a "editing" lock in one of the wiki page, all other pages allow
everyone to view and edit. Based on the tutorial of  SQLAlchemy + url
dispatch Wiki , I changed the RootFactory to the following to accomplish the

    def __init__(self,environ):
      matchdict = environ['bfg.routes.matchdict']
      page = matchdict.get('pagename')
      if page == "MyPage":

It is just a very simple "try and see" piece of code to make sure I
understand the security description of the repoze.bfg, by adding  some
trivial logic into the tutorial code . And I agree with you in a real case a
look up table is the way I should go.

On Tue, Oct 13, 2009 at 4:20 PM, Chris McDonough <> wrote:

> george hu wrote:
>> Okay, now I tried to change the RootFactory class as this:
>>    def __init__(self,environ):
>>      matchdict = environ['bfg.routes.matchdict']
>>      page = matchdict.get('pagename',None)
>>      if page == "APage":
>>         self.__acl__=[(Allow,Everyone,'view'),(Allow,'editor','edit')]
>> What I want is to popup a login page for a specific pagename (APage) and
>> when it is authenticated it brings me to the edit page. It did when I tried
>> to access APage. But it did this on other pages and I couldn't access the
>> edit page even I provided correct user/password. Should I add a new factory
>> directive in ZCML say GetPage and create a Factory class GetPage in
>>  and put
>> page = session.query(Page).filter_by(name=matchdict['pagename']).one()
>> also the acl part in it and return the page?
> I don't know what this means in terms of your specific application, but the
> context you return (the result of the "factory") should have "the right" ACL
> based on the elements that are matched in the matchdict.  So for instance,
> for the URL pattern "/pages/:pagename"
> - For the URL /pages/1, "pagename" is "1".
> - For the URL /pages/2, "pagename" is "2".
> Let's say when the pagename is "1" you want to allow editors to edit and
> everyone else to view.  But when the pagename is any other page name, you
> want to allow only editors to view and edit.  This means that you'd do
> something like:
> class TheFactory(object):
>    def __init__(self, environ):
>       matchdict = environ['bfg.routes.matchdict']
>       page = matchdict.get('pagename')
>       if page == '1':
>           self.__acl__ = [(Allow, 'editor', 'edit'),
>                           (Allow, Everyone, 'view')]
>       else:
>           self.__acl__ = [(Allow, 'editor', 'view'),
>                           (Allow, Everyone, 'view')]
> Obviously this won't scale for arbitrary values of "pagename" over time, so
> you'll want to keep some sort of lookup table in your database that maps
> page names to "acl names" or so, so you can attach the correct ACL.  Use the
> table within the factory to compute the acl and attach it.
> - C
Repoze-dev mailing list

Reply via email to