[TurboGears] Re: No peak.security for 0.9

[Jeff Watkins]

On 21 Jan, 2006, at 11:52 am, reflog wrote: Hi. Dunno if this is this post related, but what's the best way to implement the 'subject' strategy that you pointed out? I have a situation where i have a permission 'can_admin' which allows to edit a part of the site, but I want another limitation on it, like 'can_admin and user == page.owner' Can it be done with current identity? Partly. You would have to manually check whether the user (identity.current.user) is the same as page.owner and you can use the has_permission('can_admin') predicate. But this wouldn't plug in very nicely into a require decorator. So in your controller method you could place: if has_permission('can_admin') and identity.current.user==page.owner: do something else: do something else The reason this won't plug into the decorator is I don't know *before* the method executes what the value of page is (or even that there *will* be a page variable). So I can't check its owner. Plus there's no project agnostic way of specifying ownership. -- Jeff Watkins http://newburyportion.com/ "Computers are like Old Testament gods; lots of rules and no mercy." -- Joseph Campbell