Jeff Rush pisze:
Michal Pasternak wrote:
2009/4/19 Jeff Rush <[email protected]>:
[...]
2) Alternatively, one could dynamically generate a custom tree of
pages/resources within the realm object, returning a
different tree depending upon the
identity/permissions of the user.
I think this is the preferred approach ATM.
This would seem to make it
complicated to (a) guarantee that all visitors see the exact
same URL structure and,
You can share the same URL mapper between all users of you site.
Hmmm, I'm not aware of a centralized URL mapper in the Twisted framework as
there is in other Python frameworks that use regular expression mappers.
I think you can write one easily. The question is, do you really need
one? :-)
AFAIK, in Twisted, the URL tree is constructed piece by piece using a series
of .putChild('segment', resource) calls (or child_XXX class attributes) which
if you construct a complex tree with lots of conditionals based on the access
rights of the user, can be messy.
Or, you can override locateChild().
Conditionals make the code messy. That's why I like the idea of
returning trees of resources, that wrap the avatar object and know
nothing about access control.
(b) consume more
time/memory with constructing duplicate page/resource trees when thousands of
users may be visiting the site, with a mix of permissions.
You don't have to duplicate page resources; you can create a single
resource and return it for as many users as you want.
WHile users with identical roles can share resource trees, it seems you'd need
a unique tree for each 'kind' of user.
If you like, you can also remember the avatar object on the request
object, and then make your resources (which may be a singleton
instances) get the avatar from the request.
I think that you will spare a few kilobytes of RAM at the cost of making
your code a little bit more complicated.
I'm thinking I'll have to write something like decorators for page resources
that front-end the locateChild method (for access control over traversal),
and perhaps the renderHTTP method (for access control over page delivery) with
permissions checking logic.
What is your permission model exactly? What kind of limitations of
current guard implementation would you like to solve?
It is role-based, where a user can possess a mix of multiple roles, such as
user A is (member, ), user B is (member, instructor), user C is (admin, ).
For that scenario I'd need three resource trees that include/exclude different
things. I could pre-build trees for all possible combinations of roles, or
build on demand and cache the last N trees keyed by role combination. Not
very elegant though.
Instead I'm looking for something more like:
@access('instructor')
class StudentRosterPage(rend.Page):
...
where after traversal ends, a page's renderHTTP() method does:
if request.user.session.role in self.page_roles:
...return content
How about this:
* create a central mapping of { privlege : [resourceClass,
orInstances] }
* make your decorators put classess into that mapping
* show your resources where they belong (self.url, for example)
* in your IRealm implementation, return trees of resources for a
given privlege; you can return trees of classess and create
instances on-fly, you can create all the instances that you share
between users as singletons and put them in those trees too...
I think it will work with guard; it will also allow you to write API you
described. Do you see any potential problems with this approach?
It is pretty cool - and that is why I'm asking because Twisted has always
introduced me to new ideas and ways of doing things. Perhaps there is
significant security leverage already in there I'm not understanding, or maybe
most people using Twisted roll their own web security mechanisms.
[...]
Besides security, I'm looking for examples of smart ways to build up a complex
website from parts developed and packaged by others, without a lot of messy
wiring logic.
Looks like you need Divmod Mantissa.
http://www.divmod.org/trac/wiki/DivmodMantissa
<http://www.divmod.org/trac/wiki/DivmodMantissa>http://www.divmod.org/trac/wiki/DivmodMantissa/Sharing
BTW, list: it would be ubercool to have a downloadable repository of
packaged LiveFragments (or Mantissa plugins). All the hard parts (code &
tests) is already done...
--
m
_______________________________________________
Twisted-web mailing list
[email protected]
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
