Yes bypassing the "bastard" default templating system for auth is very
important... i think turbogears should give lots of automatized
features but with a manual mode too.
However this work is really a pain, but since i like TurboGears and
i've free time, i would like to contribute and i'll do what i can to
do it!
However take in mind that http auth doesn't need neither session nor
cookie... the client send always authorization headers.
I think there should be this kind of hierarchy (when i say "model"
don't relate it to sqlobjects):
Authorizations:
1) Abstract auth models
2) Various auth models (basic auth, digest auth, session-based auth,
cookie-based auth)
A group is made up of roles and not users.
A rolegroup can inherit from other role-groups.
An user can have multiple groups joining roles (if this can be done :P )
1) Decorator option for "expose" giving the name of the group then get
in a local variable the roles (for function-inside roles)
2) Decorator function which check for permission to call the function
3) Class variable which contain the standard group that can access the class
In other words i'm thinking this scheme...
Admin we have this rolegroups:
SuperAdmins:
- logs_access
- (include Admins)
Admins:
- edit_polls
- view_polls
- (include Users)
Users:
- view_polls
- vote_polls
- (no roles)
superGroup = AuthGroup("SuperAdmins")
normalGroup = AuthGroup("Admins")
usersGroup = AuthGroup("Users")
class Root:
_authentication = Auth("md5", ecc)
@turbogears.authorize(normalGroup.require(optionals=[normalGroup.getAllRoles]))
@turbogears.expose():
def index(self):
if Roles.edit_polls:
return "You can edit polls"
else:
return "You can touch nothing"
@turbogears.authorize(superGroup.require()):
@turbogears.expose():
def logs(self):
return "Only super users"
@turbogears.authorize(superGroup.require(optionals=["logs_access"]))
@turbogears.expose():
def config(self):
return "Only super users can view this, who doesn't have the
logs_access role too"
@turbogears.authorize(normalGroup.require())
@turbogears.expose():
def edit_polls(self):
return "Users who are normal admins"
@turbogears.authorize(normalGroup.require(optionals=["edit_polls"])):
@turbogears.expose()
def view_polls(self):
return "Admins without edit role can view this too"
@turbogears.authorize(usersGroup.require(optionals=["vote_polls"])):
@turbogears.expose()
def user_view_polls(self):
return "Ok you can view polls"
@turbogears.authorize(usersGroup.require()):
@turbogears.expose()
def user_vote_polls(self):
return "Vote this come on"
What about?
--
www.italianpug.org - Italian Python User Group Founder
