This is quite What I want but imagine this,
my script
if 'view-images' in identity.current.permissions:
imgsrc = /static/images/toto.jpg
return dict(src='imgsrc')
There is still a problem for security, because once fetch the output
HTML will look like
<IMG SRC='/static/images/toto.jpg'/>
So someone now know images are in /static/images/toto.jpg. This way
without authification it would run url(/static/images/toto.jpg' and
then try every /static/images/*** files and should get content he
wasn't supposed to fetch.
So I wish a way to have link like
<IMG SRC='/secured/img2'>
the secured script will fetch identity and read and deliver the img
content as a file stream...
Benoit Masson
Le 1 nov. 05 à 19:16, Jeff Watkins a écrit :
Kevin Dangoor wrote:
There needs to be a way to query the identity system for whether a
user has a given permission (probably in a context, but I haven't
seen
any mentions of context). There may be a mechanism now to do so,
but I
can't point you on the right path yet. (I changed the subject so
maybe
Jeff will notice.)
I notice everything (really, I at least scan all the emails on this
list)... but that said, there *is* a solution to this question.
You can always check whether a user has a particular permission
with code similar to the following:
import identity from turbogears
if 'view-images' in identity.current.permissions:
pass
else:
pass
Now, I imagine you can plug this into Kid somehow. Most of my apps
are all Ajaxy so I don't really use much in the template land.
--
Jeff Watkins
http://newburyportion.com/
