Jorge said:
> it's probably the time but I'm a bit lost on how to get this to work
> correctly. Should I make a custom predicate that check against the
> SQL? I also have a different condition depending on the user.


I'm not sure that I got it right, but please correct me if not:

The scenario: The sections are found dynamically in arguments passed in the 
request. For example, in a dmoz.org like site, the section is a category 
(e.g., "Computers"), which has a maintainer (i.e., the "owner") and zero or 
more editors (i.e., people appointed by the maintainer to manage the 
category). Then, the section is found in the PATH_INFO and has this pattern: 
"/{category}/*".

What you want: You want to make sure that whoever edits/deletes a category is 
either the category's maintainer or an editor.

If the above is correct, you could write a predicate checker like this:
"""
class can_manage_category(Predicate):
    message = 'Category "%(category_name)s" can only be managed by its '
              'maintainer or an editor'

    def evaluate(self, environ, credentials):
        # Finding the current category:
        variables = self.parse_variables(environ)
        category_name = variables.named_args.get("category")
        category = DBSession.query(Category).get(category_name)
        if not category:
            self.unmet("No such category!!")
        # Checking if the current user is the manager or an editor:
        user_id = credentials.get("repoze.what.userid")
        user = DBSession.query(User).get(user_id)
        if user != category.manager or user not in category.editors:
            # The user is not the manager or an editor!
            self.unmet(category_name=category_name)
"""

Then you'll be able to use it like a normal predicate checker.

¡Saludos!

PS: I ignored the part "I also have a different condition depending on the 
user" because I don't know exactly what you meant by that, and I found that it 
could mean two completely different things:
 * That you have different *responses* depending on the user, when 
authorization is denied. For example, if authorization is denied: Do X if the 
current user is Foo, do Y if he's Bar, or do Z otherwise.
 * That you have *additional conditions for some users*. For example, the 
predicate to be met reads: "Categories can only be edited by their respective 
maintainer and editors, as well as the site admin as long as his IP address 
belongs to the local network".
-- 
Gustavo Narea <xri://=Gustavo>.
| Tech blog: =Gustavo/(+blog)/tech  ~  About me: =Gustavo/about |

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to