Hi, I have an extra question going back to our original discussion on security.
If I serve a Resource Avatar from a Realm, is there any built-in way to attach something to the request as it is being intercepted by the Realm? For example, for every request I would like to create a Principal object (username,first name,last name, list of privileges, etc.) and attach it to every request that has been authenticated. >From the API I see, it seems you can serve a customized Resource (and that is fine for simpler admin vs read-only authentication schemes), but in some cases you need really fine-grained APIs (where a decorator per each REST method may be the only option), so it would be good for every request to be linked with the Principal that represents the user making the request. Thanks for any suggestions Jacek On Thu, Feb 23, 2012 at 4:53 PM, Glyph <[email protected]> wrote: > > On Feb 23, 2012, at 4:09 PM, Jacek Furmankiewicz wrote: > > Ah, I think I get it. > > > Hooray! > > So Avatar = root resource that this user can access, correct? > > > Yes, that is exactly correct! > > (More generally: root protocol-specific thing that a user can access, > since this applies to other authenticated protocols as well, and ideally, > eventually, all protocols within Twisted.) > > That is quite flexible actually. It's like you can serve a totally > different application (i.e. resource) to the user depending on their > credentials/roles/etc. > > > Yup. And you can write wrappers in whatever way you see fit. The idea is > that instead of inserting "self.makeSureItIsSecure()" checks in (or > decorators on) every single method, users without the proper authentication > can't even *access the objects* whose methods they want to call; there's > no security error, just a 404. This means that it's much harder to make > the mistake where you grant too much authority to anonymous users. > > I will wrap my head around it a bit more in the coming weeks and see how I > can add the functionality I want (able to add fine grained security per > REST method on a resource) > while working in spirit with the twisted.web.guard approach. > > > Great. I'm really enthusiastic to see what you come up with. Feel free > to continue discussing ideas on this list as you're thinking through them - > this is an area of Twisted that could stand to be talked about a lot more > :). > > Thanks to everyone for your help > > > Always happy to help someone through to the point of actual understanding! > > -glyph > > > _______________________________________________ > Twisted-web mailing list > [email protected] > http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web > >
_______________________________________________ Twisted-web mailing list [email protected] http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
