#2364: Document protection of static files via the identity framework in TG1
---------------------------------------------------------+------------------
Reporter: Chris Arndt | Owner: Chris
Arndt
Type: documentation | Status:
assigned
Priority: normal | Milestone: 1.1
Component: Documentation | Version: 1.0
Severity: normal | Resolution:
Keywords: identity, static files, needs documentation |
---------------------------------------------------------+------------------
Comment (by Chris Arndt):
I did some test with this functionality today and it turns out the code in
!SecureResource to read the identity predicate from the configuration is
buggy and rather useless:
1) URLs served by the !CherryPy static filter bypass the controller tree
completely, so there's nowhere to attach a !SecureResource mix-in too.
2) Even if it were possible, you can't set a identity predicate object
instance in a config file, you have to do it in your Python code with
`config.update()`. Which somehow defeats the purpose of having a
configuration setting for this at all. It seems that at the time when Jeff
Watkins wrote this, the configuration was still Python code, so I guess it
made sense then.
3) When !SecureResource checks the `identity.require` setting it doesn't
specify a config path, so you can't do something like this:
{{{
[/path/to/controller]
identity.require = ???
}}}
resp.
{{{
config.update({'/path/to/controller': {
'identity.require': identity.not_anonymous()}}
}}}
You are only able to set one identity predicate globally, which is rather
limiting.
4) Finally the current code in the 1.1/1.5 branches has a name error bug:
it uses `turbogears.config.get` but the top-level package is not imported,
so it should be `config.get`. This bug only manifests itself when the
!SecureObject instance has no 'require' attribute (fixed in SVN now).
I have written a small controller, which emulates the !CherryPy
static filter and implements reading identity permissions from the
configuration:
http://paste.chrisarndt.de/paste/ec93b89991404056963c9241e3ff58eb
I will add this recipe to http://docs.turbogears.org/1.1/StaticFiles.
--
Ticket URL: <http://trac.turbogears.org/ticket/2364#comment:2>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
