I saw there is a ticket open for authentication / authorization. I also
read that CatWalk has no security for now.
What I propose is not a design by simply a standardize high-level
function API to check authorization. I currently use the following:
def checkRole(role='admin'):
# checkRole implementation.
In simple word, a checkRole function taking a string for the role, by
default 'admin'. How this is mapped internally, how role and identities
are implemented, represented and accessed is hidden from the API.
Currently checkRole() sets a turbogears flash error then redirect to
the login page ("/" on my site). Maybe checkRole could be extended to
be:
def checkRole(role='admin',error='You are not
authorized.',redirect='/')
# checkRole implementation.
A few points of discussion:
- How to plugin the checker? By setting a pre-defined tg variable?
- Alternative check result: specifiable exception, callback?
- Check without raising error? This currently can be done by a try:
block.
I also think separating authentication API and authorization APi is a
good thing, although a given implementation can (and probably will)
make them common internally for obvious reasons.
