I am trying to understand how Twisted Web security works, based on a few links:
http://jcalderone.livejournal.com/53074.html http://twistedmatrix.com/documents/current/web/howto/web-in-60/http-auth.html They all explain how to set up a web app with let's say HTTP auth. But there are no examples on how a Resource method (let;s say render_GET) could get access to the current Avatar object? And does the Avatar object need to implement some specific interface? What I want to do in CorePost is to allow fine grained privilege-based security *per method* (similar in style to Spring Security, for those who know it), e.g.: @route("/user",Http.GET) @secured("BROWSE_USER") def getUser(self,request,**kwargs): return ...some user info... @route("/user",Http.POST) @secured("UPDATE_USER") def updateUser(self,request,userId,**kwargs): ...create new user, etc... If the Avatar does not have the required privileges (e.g. "BROWSE_USER" or "UPDATE_USER" in the example above), I want to throw a 403 Access Denied automatically. Thanks for any pointers Jacek https://github.com/jacek99/corepost
_______________________________________________ Twisted-web mailing list [email protected] http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
