[TurboGears] Re: devcasts - DataController

[Jeff Watkins]

Kevin, you're absolutely correct. I've forgotten now who asked for SecureResource, but this was specifically what was asked for. However, I'd agree it does seem slightly counter-intuitive. I'd propose the following: * SecureResource decorates any exposed methods (as it currently does) with the specified requirements. * In addition, __getattr__ checks to see whether the value returned is derived from Controller and if so, enforces the requirements specified for this SecureResource. Another option is to use SecureObject which protects ALL access to the object whether exposed or not. On 6 Jan, 2006, at 7:16 am, Kevin Dangoor wrote: I was wondering about that. I don't think identity.SecureResource actually blocks the whole tree below... just the items on that one resource. Which is bound to trip people up. To test that theory, try accessing a method on Admin directly and see if that requires authentication. --  Jeff Watkins http://newburyportion.com/ Computers, they're just a fad.