Jorge said:
> it's probably the time but I'm a bit lost on how to get this to work
> correctly. Should I make a custom predicate that check against the
> SQL? I also have a different condition depending on the user.
I'm not sure that I got it right, but please correct me if not:
The scenario: The sections are found dynamically in arguments passed in the
request. For example, in a dmoz.org like site, the section is a category
(e.g., "Computers"), which has a maintainer (i.e., the "owner") and zero or
more editors (i.e., people appointed by the maintainer to manage the
category). Then, the section is found in the PATH_INFO and has this pattern:
"/{category}/*".
What you want: You want to make sure that whoever edits/deletes a category is
either the category's maintainer or an editor.
If the above is correct, you could write a predicate checker like this:
"""
class can_manage_category(Predicate):
message = 'Category "%(category_name)s" can only be managed by its '
'maintainer or an editor'
def evaluate(self, environ, credentials):
# Finding the current category:
variables = self.parse_variables(environ)
category_name = variables.named_args.get("category")
category = DBSession.query(Category).get(category_name)
if not category:
self.unmet("No such category!!")
# Checking if the current user is the manager or an editor:
user_id = credentials.get("repoze.what.userid")
user = DBSession.query(User).get(user_id)
if user != category.manager or user not in category.editors:
# The user is not the manager or an editor!
self.unmet(category_name=category_name)
"""
Then you'll be able to use it like a normal predicate checker.
¡Saludos!
PS: I ignored the part "I also have a different condition depending on the
user" because I don't know exactly what you meant by that, and I found that it
could mean two completely different things:
* That you have different *responses* depending on the user, when
authorization is denied. For example, if authorization is denied: Do X if the
current user is Foo, do Y if he's Bar, or do Z otherwise.
* That you have *additional conditions for some users*. For example, the
predicate to be met reads: "Categories can only be edited by their respective
maintainer and editors, as well as the site admin as long as his IP address
belongs to the local network".
--
Gustavo Narea <xri://=Gustavo>.
| Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about |
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
