On May 2, 2007, at 8:42 PM, durumdara wrote:
>
> Hi!
>
> Thanks for your help!
>
> I wrote same thing in modpy. My module is check the request, load the
> rights for the requested page, and determine what's happening.
>
> But your libraries seems to be better than my own.
>
> Last question:
> Can I get the current controller object/current controller procedure?
> Example:
>
> ...XController:
> def index(self):
> callmain()
> ...
> def main(self):
> callmain()
> ...
> def about(self):
> callmain()
> ...
>
> callmain is a global procedure. It it I want to something that is
> depend on the current controller, and the current procedure; but I
> don't want to pass them as parameters (example: callmain(self,
> 'about')).
> Can I reproduce the the controller object itself, and the caller
> procedure name from any global variable of Pylons?
>
> Example:
> pylons.main.currentcontroller
> pylons.main.currentcontrollerproc
>
> I want know that I need to traverse the request path, or pylons is
> store it in a global variable?
You can peek into pylons.request.environ['pylons.routing_args']
['controller'] to see the name of the controller as Routes sees it.
To find the controller class that is being instantiated you'll have
to do something similar so what the "resolve" method does in
PylonsBaseWSGI app, however, maybe you can implement something easier
in the __before__ hook of a base class for all controllers you want
to protect.
What I do with TPS to protect controller methods is somethiing like
this:
import tps
class MyBaseController(BaseController):
tps.permissions(
index = "ANYBODY",
save = "SAVE",
)
def __before__(self, action):
# Will check if current logged in user has permission
# declared with "permissions" on MyBaseController instances
# If not, it'll raise a SecurityDenial exception that will be
trapped
# my TPS's middleware and turn it into a 401 or 403 (depends
# if there's a user logged in).
# AuthKit will trap 401s and prompt the user to login
tps.policy.raise_if_denied(obj=self, name=action)
def index(self):
....
def save(self, id):
...
The policy object which defines the security rules for the
application and is passed as a parameter to tps' middleware could be
something like:
class AppPolicty(tps.Policy):
@allows.when("perm == 'ANYBODY'"):
def allow_anybody(self, obj, name, perm, user):
return True
@allows.when("perm == 'SAVE' and isinstance(obj, FooController)")
def allow_save_foos(self, obj, name, perm, user):
if user_can_save_foos:
return True
else:
return tps.Denial("Sorry %s, you cannot save Foos" %
user)
Creating these security rules requires some knowledge of how
RuleDispatch[1] works.
However, protecting controller methods was not the main reason I've
written tps (heavily inspired on peak.security)... Where both
libraries shine at is at enforcing security rules when handling
business objects, for example:
def do_something_with_bar(self, id):
obj = model.Bar.get(id)
tps.raise_if_denied(obj, perm="DO_SOMETHING")
The security rules to handle this case could check if current logged
in user is the owner of that object etc...
The biggest advantage I see in this approach is that security rules
can be changed for different deployments without modifying the
original app, for example, by loading policy factories as plugins and
selectiing one via a config option.
Alberto
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
