On 1/14/06, Jeff Watkins <[EMAIL PROTECTED]> wrote:
>
> Simon, first let me admit I'm biased, but I'm really not certain what
> you're trying to accomplish with RuleDispatch (which is *really*
> cool, by the way) with regard to security. I don't dispute that the
> PEAK security code is *incredibly* powerful, but it is also rather
> confusing -- at least to language newcomers like me and I suspect
> many of the TurboGears target audience.
The reason I'm looking at RuleDispatch and peak.security is as a way to provide
1) a path to handling the ownership question
2) a means to make identity more flexible without requiring completely
new IdentityProviders
That said, I'm 100% in agreement that the current identity API is
considerably easier than peak.security for a large chunk of
applications. My hope is to blend the flexibility of peak.security
with the ease of identity.
> Can you give me a couple examples of functionality that Identity is
> missing? Besides ownership testing, which is problematic but not
> impossible using introspection.
I'm actually not sure that introspection will be the way to handle
ownership. My guess is that the most reliable thing to do will be for
the controller method to directly ask the (in peak.security terms)
Context if the user is permitted to access that object.
There are a couple of things about switching to RuleDispatch:
1) the stuff in quotes is standard Python...
@identity.require("user.has_group('foo')")
2) ...which allows you to do more sophisticated checks
@identity.require("user.has_group('subscriber') and user.paid_in_full")
Using Contexts, you can have a variety of rules that succeed or, if
they fail, provide an appropriate message to the user about why they
can't do what they're trying to do.
I should note that I'm not trying to provide everything out-of-the-box
or solve all of the questions now. The key is that if RuleDispatch
does fit nicely here, I'd like to see its syntax show up *now*.
I'm also envisioning that identity.require *could* take a Context
object directly instead of a string, which provides a super simple
extension point for people when it comes to authorization: just define
your own context and use it wherever you need to.
I haven't figured out or run experiments in code to see how Contexts
get used in the identity.require(<some string>) case. RuleDispatch is
not very exciting when there's only one rule :)
But, I'm definitely not in favor of losing the simplicity that
identity.require has.
> Additionally, while the technique is different than that used in
> PEAK, you can always create a new predicate for the Identity system.
The thing that RuleDispatch does (and probably better than anything
else in Python) is evaluate rules (surprise!). It's super-efficient
and I think it's a superset of the predicate setup in functionality.