Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.

Gustavo Narea Mon, 15 Feb 2010 14:44:00 -0800

Hello, Tim.

On 15/02/10 22:06, Tim Hoffman wrote:
> Hi Gustavo
>
> Yeah I have thought about writing custom Predicates.
>
> The main problem I saw with it was it appears I would have to pass in
> the object to be checked at
> predicate instantiation time, rather than at evaluation time.
>
> evaluate only takes environ and credentials.
> Which means I would have to somehow stuff the entity into the wsgi
> environ or I would be retrieving the object
> a second time inside the evaluate predicate, when I already have it.
> And that would seem expensive (I am running on App Engine).
>
> So using your example from the docs.
>
> It would look something like.
>
>
> from repoze.what.predicates import Predicate
>
> class is_author(Predicate):
>    message = 'Only %(author)s can manage post %(post_id)s'
>
>    def __init__(self,context,**kwargs):
>        super(is_author,self).__init__(kwargs)
>        self.context = context
>
>    def evaluate(self, environ, credentials):
>        
>        if self.context.author != credentials.get('repoze.what.userid'):
>            self.unmet(post_id=post_id, author=post.author_userid)
>


I use the wsgiorg.routing_args variable
(environ['wsgiorg.routing_args']) to store the objects for the resource
in the URL, like this:

====
class BasePostPredicate(Predicate):
    def _get_blog_post(self, environ):
        if "post" not in environ['wsgiorg.routing_args'][1]:
            post_id = environ['wsgiorg.routing_args'][1]['post_id']
            environ['wsgiorg.routing_args'][1]['post'] =
gimme_the_post(post_id)
        return environ['wsgiorg.routing_args'][1]['post']

class IsAuthor(BasePostPredicate):
    def evaluate(self, environ, credentials):
        post = self._get_blog_post(environ)
        if post.author != credentials.get('repoze.what.userid'):
        self.unmet('Only %(author)s can manage post %(post_id)s',
                   author=post.author, post_id=post.id)

class IsEditor(BasePostPredicate):
    def evaluate(self, environ, credentials):
        post = self._get_blog_post(environ)
        if credentials.get('repoze.what.userid') not in post.editors:
        self.unmet('Only editors can manage post %(post_id)s',
                   post_id=post.id)
====

BasePostPredicate looks ugly because of the environ dict. Starting with
v1.1, we're going to use the pythonic WebOb request objects and thus it
will look like this:
====
class BasePostPredicate(Predicate):

    def _get_blog_post(self, request):
        if "post" not in request.urlvars:
            request.urlvars['post'] =
gimme_the_post(request.urlvars['post_id'])
        return request.urlvars['post']
====

> And then
>
> # Can the user edit the post?  (must be site manager or owner)
>
> from repoze.what.predicates import Any, has_permission
> p =  Any(has_permission('site_manager'),is_author(context))
>

Right. But with the predicate above, you wouldn't pass the context:
   p = Any(has_permission('site_manager'),IsAuthor())

HTH,

 - Gustavo.

>
> On Tue, Feb 16, 2010 at 5:41 AM, Gustavo Narea <m...@gustavonarea.net
> <mailto:m...@gustavonarea.net>> wrote:
> > Hello, Tim.
> >
> > The groups/permissions functionality is just something basic and
> > optional, to help people get started, although for some smaller projects
> > it may be good enough. For finer-grained control, you may want to check
> > this:
> >
> http://what.repoze.org/docs/1.0/Manual/Predicates/Writing.html#creating-a-predicate-checker-more-sensitive-to-the-request
> >
> > I've never really wanted to offer a similar functionality
> > out-of-the-box. I've given some thought to this, and never came up with
> > non-intrusive way of addressing this kind of situations. But I'm always
> > open to hear alternatives.
> >
> > I hope this is what you were looking for.
> >
> >  - Gustavo.
> >
> >
> > On 15/02/10 15:19, Tim Hoffman wrote:
> >> Hi
> >>
> >> I am trying to work out how I could protect a specific resource/entity
> >> using repoze.what.
> >>
> >> For instance I have a specific "Record", owned by a specific
> "User", and
> >> only a user with the "Owner" permission can "Edit" the record.
> >>
> >> I can't work out how you would assign "Owner" permission to the
> user only when
> >> accessing "Record".  i.e the user in question would not be owner of
> >> any other record.
> >>
> >> It seems the group source and permission source act on a global basis
> >> and aren't context aware.  And predicates check_authorization() calls
> >> only take a environ
> >> and therefore you can only protect things like URL's not entities.
> >>
> >> Am I trying to do something not possible/intended for repoze.what.
> >>
> >> I suppose I am looking for functionality similiar to zope2
> >> permissions/roles etc...
> >>
> >> T
> >> _______________________________________________
> >> Repoze-dev mailing list
> >> Repoze-dev@lists.repoze.org <mailto:Repoze-dev@lists.repoze.org>
> >> http://lists.repoze.org/listinfo/repoze-dev
> >>
> >
> >
> > --
> > Gustavo Narea <xri://=Gustavo>.
> >
> >
>


-- 
Gustavo Narea <xri://=Gustavo>.

_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.

Reply via email to