Hello, everybody.
[I'm sorry, Christoph, I forgot to reply to the other email about this.]
Defining and/or evaluating predicates inside the template is something that
I'd consider anti-MVC and anti-DRY prone (see below), nevertheless, I agree
that a *similar* ability is necessary but not available by default with
repoze.what -- something like:
"""
<a py:if="can_access('/admin/')" href="/admin/">
This is a link for admins
</a>
"""
instead of:
"""
<a py:if="evaluate(in_group('admins'))" href="/admin/">
This is a link for admins
</a>
"""
The former is not anti-MVC because it's not defining the access condition --
authorization should only be dealt with in the controller, not in the view.
And it's not redundant (i.e., anti-DRY), compared to the later, because you're
not duplicating the access rule (this is, the predicates) -- hence I say that
the later makes your code anti-DRY prone.
With that fake can_access() function you would just check if you can access
the resource in question -- regardless of whether it's protected by predicates
or not.
The problem fails on repoze.what's predicate-based verification, which makes
things a little harder to ship with a truly framework-independent
implementation; in a system that computes an Access Control List based on the
*traversal of a path*, like the now unmaintained repoze.decsec [1], this
functionality would be available out-of-the-box in a framework-independent
way. Fortunately in repoze.what v2, predicates won't be the only way to
control access -- it will support repoze.decsec-like ACLs as well.
But I'd be happy to implement a function like the can_access() above in TG2.
In fact it's one of the things that I've wanted for some time, but I've not
had the time to implement. I think we need to open a ticket if you people
agree that this would be useful. :)
Cheers!
[1]
http://www.plope.org/Members/chrism/decsec_proposal
http://plope.org/Members/chrism/decsec_revisited
On Thursday January 29, 2009 23:13:29 Christoph Zwerschke wrote:
> I have mentioned this problem already in the context of ip-based
> authorization, but it is actually a more general question.
>
> Usually you do not only want to restrict access to certain controller
> methods, but you already want to hide certain links depending on which
> permissions the user has. In order to do that, you must be able to check
> predicates in the template. In TG 1.0 this was easily possible:
>
> http://docs.turbogears.org/1.0/UsingIdentity#using-identity-in-templates
>
> Can I do the same with TG 2.0? I.e. when I have a repoze.what check
> predicate that I'm using in a "require" decorator, can I reuse the same
> check predicate in a template? Ideally, I'd like to just call it and get
> a boolean value back.
>
> -- Christoph
>
>
--
Gustavo Narea <http://gustavonarea.net/>.
Get rid of unethical constraints! Get freedomware:
http://www.getgnulinux.org/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears Trunk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-trunk?hl=en
-~----------~----~----~----~------~----~------~--~---
