Re: [Repoze-dev] Turbogears2 identity variable in templates
Hello! On Wednesday April 29, 2009 12:37:02 Jorge Vargas wrote: > > On Monday April 27, 2009 10:42:35 Jorge Vargas wrote: > >> more interesting than that template_vars.tg.identity returns None when > >> the user isn't logged on. which means you will have to precheck all > >> your access tests in something along the lines of > >> > >> if tg.identity and tg.identity['user'] == "something" > >> > >> which is too weird. > > > > You could turn the repoze.who identity dict into a TG2 Bunch and > > customize that too. > > > >> on top of that it seems to me that checks in the form of are simply not > >> possible py:if="'admin' in tg.identity.groups"" > > > > It's always been discouraged to deal with that repoze.what stuff > > directly, as it's going to change somewhere in v1.X and disappear in v2 > > -- it's something internal to repoze.what. > > I think you missed the point. by "Identity" I'm not talking about > repoze.who.identity dict, I'm talking about the concept of allowing > you to evaluate your object with pythonic calls. "if user in group" > type of thing. "Identity" is an ambiguous term, specially in this context; I'd rather hear exactly "authentication" or "authorization" -- hence I replied to both meanings just in case, because I wasn't certainly sure what you meant. > >> is there an obvious way of doing this with repoze.what that I'm > >> missing? > > > > You have two options to do that, which are also simpler (from my point of > > view): > > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#predicat > >e-evaluators > > is this syntax really better at the template level? > Hi Jorge > > I find it a lot more verbose Yes, it is. > , also isn't this evaluating the predicate > twice? No, as far as I see. > by the way from repoze.what.plugins.pylonshq import is_met is not the > correct path. Are you using an old version of repoze.what-pylons? That function wasn't present in early betas. It works over here: """ > >>> from repoze.what.plugins import pylonshq > >>> dir(pylonshq) > ['ActionProtector', 'ControllerProtector', '__all__', '__builtins__', > '__doc__', '__file__', '__name__', '__package__', '__path__', > 'booleanize_predicates', 'debooleanize_predicates', 'is_met', 'not_met', > 'protectors', 'utils'] > >>> from repoze.what.plugins.pylonshq import is_met > >>> is_met > """ > > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#boolean- > >predicates > > could you please explain why this warning? I'm really shock here. are > you telling us that the default way TG is using repoze.what will break > your security? last time I read the ticket regarding this > implementation it was never mention that this will be a security > issue. I always warned it was a horrible idea, totally discouraged by me, which _could_ (not "will") bring side-effects and/or make the application error- prone. That warning just lists the exact situations under which there may be security flaws because of that misfeature. > >> Also keep in mind this is pure syntax sugar as the real > >> security check was done in the controller. Last but not least is this > >> a class that is worth including in r.what? or should we keep it TG > >> only? IMO this api is nice enough to work on any python > >> template/framework and I think it's totally worth pushing into what. > > > > Regarding the repoze.who identity dict, I think TG2 could turn that dict > > into a Bunch if you find it necessary. > > That's a good idea but you keep telling us that's "internal" for > repoze.what and we can't rely on it so why/how can we work with it if > it's going away? There will be a 100% backwards-compatible 1.5 release eventually, which will backport all possible enhancements from version 2.0. But repoze.what 2 won't have such a dictionary and thus it's likely* that v1.5 won't have it either (even if it keeps the dictionary, the arrangement may change). Hence I can't suggest you to use it directly. Predicate checkers are the safe bet. * repoze.what 2 is still taking shape, so at this point it's hard to tell if it'd be present in v1.5 or not. I just can assure it won't be present in v2 (in fact it's one of the main reasons why I'm rewriting it all). > > Regarding accessing the repoze.what credentials dict, it shouldn't be > > supported because it's not intended to be used directly. Instead, I'd > > recommend predicate evaluators -- and TG2 could have a short-cut to > > is_met() and not_met() in the template. > > What's so wrong with making the predicates behave like boolean objects? They make your code error-prone and may cause side-effects (e.g., security flaws) in some situations, as explained in detail in the repoze.what-pylons docs. Cheers! -- Gustavo Narea . | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Turbogears2 identity variable in templates
On Mon, Apr 27, 2009 at 5:15 AM, Gustavo Narea wrote: > Hola, Jorge. > > > You have two options to do that, which are also simpler (from my point of > view): > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#predicate-evaluators > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#boolean-predicates > > let me expand my request a little it seems to me there is no simple way of querying the system to see who you are and what you can do. Consider the following case. #controller def index(self): if in_group('guests').is_met(request.environ): return dict(...) if in_group('clients').is_met(request.environ): return dict(...) #template 0 1 ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Turbogears2 identity variable in templates
On Mon, Apr 27, 2009 at 5:15 AM, Gustavo Narea wrote: > Hola, Jorge. > > On Monday April 27, 2009 10:42:35 Jorge Vargas wrote: >> more interesting than that template_vars.tg.identity returns None when >> the user isn't logged on. which means you will have to precheck all >> your access tests in something along the lines of >> >> if tg.identity and tg.identity['user'] == "something" >> >> which is too weird. > > You could turn the repoze.who identity dict into a TG2 Bunch and customize > that too. > > >> on top of that it seems to me that checks in the form of are simply not >> possible py:if="'admin' in tg.identity.groups"" > > It's always been discouraged to deal with that repoze.what stuff directly, > as it's going to change somewhere in v1.X and disappear in v2 -- it's > something > internal to repoze.what. > I think you missed the point. by "Identity" I'm not talking about repoze.who.identity dict, I'm talking about the concept of allowing you to evaluate your object with pythonic calls. "if user in group" type of thing. > >> is there an obvious way of doing this with repoze.what that I'm >> missing? > > You have two options to do that, which are also simpler (from my point of > view): > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#predicate-evaluators is this syntax really better at the template level? Hi Jorge I find it a lot more verbose, also isn't this evaluating the predicate twice? by the way from repoze.what.plugins.pylonshq import is_met is not the correct path. > http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#boolean-predicates > could you please explain why this warning? I'm really shock here. are you telling us that the default way TG is using repoze.what will break your security? last time I read the ticket regarding this implementation it was never mention that this will be a security issue. > >> Also keep in mind this is pure syntax sugar as the real >> security check was done in the controller. Last but not least is this >> a class that is worth including in r.what? or should we keep it TG >> only? IMO this api is nice enough to work on any python >> template/framework and I think it's totally worth pushing into what. > > Regarding the repoze.who identity dict, I think TG2 could turn that dict into > a > Bunch if you find it necessary. > That's a good idea but you keep telling us that's "internal" for repoze.what and we can't rely on it so why/how can we work with it if it's going away? > Regarding accessing the repoze.what credentials dict, it shouldn't be > supported > because it's not intended to be used directly. Instead, I'd recommend > predicate > evaluators -- and TG2 could have a short-cut to is_met() and not_met() in the > template. What's so wrong with making the predicates behave like boolean objects? > > HTH, > -- > Gustavo Narea . > | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | > ___ > Repoze-dev mailing list > Repoze-dev@lists.repoze.org > http://lists.repoze.org/listinfo/repoze-dev > ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Turbogears2 identity variable in templates
Hola, Jorge. On Monday April 27, 2009 10:42:35 Jorge Vargas wrote: > more interesting than that template_vars.tg.identity returns None when > the user isn't logged on. which means you will have to precheck all > your access tests in something along the lines of > > if tg.identity and tg.identity['user'] == "something" > > which is too weird. You could turn the repoze.who identity dict into a TG2 Bunch and customize that too. > on top of that it seems to me that checks in the form of are simply not > possible py:if="'admin' in tg.identity.groups"" It's always been discouraged to deal with that repoze.what stuff directly, as it's going to change somewhere in v1.X and disappear in v2 -- it's something internal to repoze.what. > is there an obvious way of doing this with repoze.what that I'm > missing? You have two options to do that, which are also simpler (from my point of view): http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#predicate-evaluators http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#boolean-predicates > Also keep in mind this is pure syntax sugar as the real > security check was done in the controller. Last but not least is this > a class that is worth including in r.what? or should we keep it TG > only? IMO this api is nice enough to work on any python > template/framework and I think it's totally worth pushing into what. Regarding the repoze.who identity dict, I think TG2 could turn that dict into a Bunch if you find it necessary. Regarding accessing the repoze.what credentials dict, it shouldn't be supported because it's not intended to be used directly. Instead, I'd recommend predicate evaluators -- and TG2 could have a short-cut to is_met() and not_met() in the template. HTH, -- Gustavo Narea . | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] Turbogears2 identity variable in templates
Hello, Today I took some time to review the state of affairs for checking for what used to be identity in TG1. A little reminder of the API http://docs.turbogears.org/1.0/UsingIdentity#using-identity-in-templates IMO that api was really good as tg.identity (the template variable) was a simple proxy to the current logged in user and some handy methods. Fast forward to TG2 we have a very different API first it's a dict and not a Bunch (aka attribute access) template_vars.tg.identity.keys() ['userdata', 'repoze.who.userid', 'timestamp', 'tokens', 'user', 'groups', 'permissions'] more interesting than that template_vars.tg.identity returns None when the user isn't logged on. which means you will have to precheck all your access tests in something along the lines of if tg.identity and tg.identity['user'] == "something" which is too weird. on top of that it seems to me that checks in the form of are simply not possible py:if="'admin' in tg.identity.groups"" is there an obvious way of doing this with repoze.what that I'm missing? Also keep in mind this is pure syntax sugar as the real security check was done in the controller. Last but not least is this a class that is worth including in r.what? or should we keep it TG only? IMO this api is nice enough to work on any python template/framework and I think it's totally worth pushing into what. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev