On Wed, Feb 11, 2009 at 11:28 AM, Gustavo Narea <m...@gustavonarea.net> wrote:
>
> Hello, everybody.
>
> I already mentioned this in another email, but I think it deserves its own
> thread.
>
> In trunk I've implemented a class decorator that sets controller-wide access
> rules (@tg.protect), based on the @ControllerProtector decorator in the new
> repoze.what-pylons package.
>
> So, right now the following controllers are equivalent:
>> class ControlPanel(BaseController):
>> allow_only = has_permission('manage')
>>
>> def _failed_authorization(self, reason):
>> if response.status.startswith('401'):
>> status = 'warning'
>> else:
>> status = 'error'
>> flash(reason, status)
>> ---
>> @protect(has_permission)
>> class ControlPanel(BaseController):
>> pass
>
> From my point of view, @protect is *much* more elegant, extensible and
> maintainable (more on why it's extensible in the repoze.what-pylons
> documentation). It's also more reliable/clear because, in a nutshell, what it
> does is decorate Controller.__before__ with a @require.
>
> The Controller.allow_only feature is controversial (some of us think it's best
> to prepend one or two underscores) and it's maintained in the TG package
> itself (while @protect is a simple subclass of a decorator maintained in a
> third party package).
>
> So, I propose that we drop Controller.allow_only and stick to @protect.
>
> What do you think?
class decorators? what about everyone not in py2.6? I think way back
when allow_only was created we agreed it was a good compromise before
class decorators where introduced.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears Trunk" group.
To post to this group, send email to turbogears-trunk@googlegroups.com
To unsubscribe from this group, send email to
turbogears-trunk+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/turbogears-trunk?hl=en
-~----------~----~----~----~------~----~------~--~---
