Just so I'm clear, if you have to protect the RootController, you have
to put @require on each of the root controller paths that needs to be
protected, then protect each subcontroller individually?
So the TurboGears development team suggests the following code
structure:
class RootController(BaseController):
admin = SecuredCatwalk(DBSession, metadata)
secc = SecureController()
error = ErrorController()
docs = DocsController()
billing = BillingController()
clients = ClientController()
databases = DatabaseController()
@expose('wiki.templates.template')
@require(predicates.has_permission('manage', msg=_('Only for
managers')))
def test(self):
return dict(page='index',template='form')
@expose('wiki.templates.index')
@require(predicates.has_permission('manage', msg=_('Only for
managers')))
def index(self):
return dict(page='index')
@expose('wiki.templates.about')
@require(predicates.has_permission('manage', msg=_('Only for
managers')))
def about(self):
return dict(page='about')
@expose('wiki.templates.authentication')
@require(predicates.has_permission('manage', msg=_('Only for
managers')))
def auth(self):
return dict(page='auth')
@expose('wiki.templates.index')
@require(predicates.has_permission('manage', msg=_('Only for
managers')))
def manage_permission_only(self, **kw):
return dict(page='managers stuff')
@expose('wiki.templates.index')
@require(predicates.is_user('editor', msg=_('Only for the
editor')))
def editor_user_only(self, **kw):
return dict(page='editor stuff')
@expose('wiki.templates.login')
def login(self, **kw):
came_from = kw.get('came_from', url('/'))
return dict(page='login', header=lambda *arg: None,
footer=lambda *arg: None, came_from=came_from)
and then in each of the sub controllers, I can then protect it with:
allow_only = in_group('manage')
which seems quite a bit more complex than including the above line
once.
Which of the plugins from here:
http://static.repoze.org/whodocs/narr.html#module-repoze.who.plugins.sql
should I be using where I can specify the allow_only on the root
controller and have the entire application protected?
Are there other frameworks that put the login page behind an AAA
method?
On Feb 18, 7:19 am, Gustavo Narea <[email protected]> wrote:
> This is a consequence of using RedirectingFormPlugin, the only repoze.who
> challenger which has to reach the application to challenge (this is, display
> the login form). While using this plugin there's *nothing* else you can do --
> you are protecting the whole application, how is repoze.who supposed to reach
> the controller action that displays the login form then?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears Trunk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-trunk?hl=en
-~----------~----~----~----~------~----~------~--~---
