[TurboGears] RESTful authentication & authorization

Tue, 05 Jul 2011 09:34:19 -0700 

Hi everybody,

I'm new to TG and I'm working on a simple user login/creation/edit/
delete system. I've used the default authentication & authorization TG
option and am using CrudRestController to provide an interface for the
admins to add & edit users other than the one that was generated with
AdminController. I've followed this tutorial to implement it
http://turbogears.org/2.1/docs/main/Extensions/Crud/index.html

So I have, in my /controllers/root.py :

# Table displaying all the users
class UserTable(TableBase):
        __model__ = User
        __omit_fields__ = ['user_id', '_password', 'created']
user_table = UserTable(DBSession)

class UserTableFiller(TableFiller):
        __model__ = User
user_table_filler = UserTableFiller(DBSession)

# User creation form
class UserNew(AddRecordForm):
        __model__ = User
        __omit_fields__ = ['user_id', '_password', 'created']
user_new_form = UserNew(DBSession)

# User edit form and filler
class UserEdit(EditableForm):
        __model__ = User
        __omit_fields__ = ['user_id', '_password', 'created']
user_edit_form = UserEdit(DBSession)

class UserEditFiller(EditFormFiller):
        __model__ = User
user_edit_filler = UserEditFiller(DBSession)

# User controller
class UserController(CrudRestController):
        model = User
        table = user_table
        table_filler = user_table_filler
        new_form = user_new_form
        edit_form = user_edit_form
        edit_filler = user_edit_filler

And in the same file, under the RootController :

user = UserController(DBSession)

However, if everybody could access those create & edit forms via the
RESTful links, it won't be very useful, will it ? For example,
malicious visitors could just type in [link]/user/create to create a
new user without any authentication. So I would like to know whether
there is a way to require authentication each time somebody wants to
access a RESTful link ?

Again, I'm new to the whole concept of web application framework so
please bear with me :)

Thank you very much,

Adlq

-- 
You received this message because you are subscribed to the Google Groups 
"TurboGears" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/turbogears?hl=en.

Reply via email to