I'm not sure it's appropriate to check permissions based on route
names. I haven't done this yet in Pyramid, but in Pylons I used
external knowledge to decide if the user should see certain links, and
passed a boolean to the template: true => show the links, false =>
don't show them. If the user somehow gets to the page without going
through the links, they get the forbidden error. If they see the link
and click on it and get the forbidden error, it's a bug in the
application.
The Pyramid equivalent would be something like
has_permission(perm_name), or for record-specific permissions, somehow
checking whether the user can view that db record. But it's not based
solely on the route name. I'm not sure I'm comfortable with basing
decisions like this on route names. I don't have a concrete objection,
just that something might go wrong someday when a route you didn't
expect returns permitted or denied.
On Mon, Nov 14, 2011 at 10:24 AM, Michael Merickel <mmeri...@gmail.com> wrote:
> You can use pyramid.security.has_permission() to check access to a
> particular permission. view_execution_permitted is traversal-only.
> For has_permission() you just need to be sure to pass in the context that
> contains the correct ACLs for that view.
>
> On Mon, Nov 14, 2011 at 12:18 PM, Mark Erbaugh <m...@microenh.com> wrote:
>>
>> On Nov 14, 2011, at 10:29 AM, Mattias wrote:
>>
>> Is there anyway to check if the user have the required permissions
>> when I only know the route_name?
>>
>> def main(global_config, **settings):
>> [snip]
>> config.add_route('administrations', '/administrations')
>>
>> class Administration(object):
>> def __init__(self, request):
>> self.request = request
>>
>> @view_config(route_name = 'administrations',
>> renderer='administration.mako',
>> permission='admin)
>> def admin(self):
>> return {'name':'test'}
>>
>> I tried view_execution_permitted(self.request.context, self.request,
>> view_name) but since I am using URL dispatch my views don't have any
>> view_names so that functions always return a Allowed() instance.
>>
>>
>> My understanding is that if someone without admin permission would
>> automatically get a HTTP Forbidden response if they try to visit the
>> administrations page. In fact, in the documentation under the SQLAlchemy +
>> URL Dispatch Tutorial, the HTTP Forbidden view is remapped to the login
>> screen. Thus, if someone tries to access the page withouth proper
>> credentials, they get a chance to provide those credentials.
>> Or am I missing something in your question?
>> Mark
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "pylons-discuss" group.
>> To post to this group, send email to pylons-discuss@googlegroups.com.
>> To unsubscribe from this group, send email to
>> pylons-discuss+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/pylons-discuss?hl=en.
>
>
>
> --
>
> Michael
>
> --
> You received this message because you are subscribed to the Google Groups
> "pylons-discuss" group.
> To post to this group, send email to pylons-discuss@googlegroups.com.
> To unsubscribe from this group, send email to
> pylons-discuss+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/pylons-discuss?hl=en.
>
--
Mike Orr <sluggos...@gmail.com>
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to pylons-discuss@googlegroups.com.
To unsubscribe from this group, send email to
pylons-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
