> > > What does that mean exactly? You can have multiple RESTful controllers, > and > > they can call functions defined elsewhere if necessary. > > Just taking the sample code in the docs as an example You have the > patterns, the magic sauce in parse_as_rest(), then the db object > passes the results to the parser.response or raises an Error. So if > you wanted to split that up you first would have to know which of the > patterns was hit, then have a switch type of structure to pass > processing the the result set to the proper party. > I suppose we could use more thorough documentation. Note, when the parser.status == 200, there is also a parser.pattern attribute storing the pattern that was matched, so you can use that to implement additional logic based on the pattern if necessary.
> >> 2) it blurs the separation of routing and application level logic > > > > > > What problems does this cause? How would you prefer to do it? > > > I'm very much of the belief of separation of responsibilities. Maybe > by convention it could search for the tuples in > <model>/url_patterns.py? > What is the benefit of storing the patterns in a separate file? What responsibilities are being separated? Anyway, you could certainly store your patterns in an external module and then import them in your api function if desired. > Imagine that the user requesting /friend/Joe/Pets had access to Joe, > but not to his pet list or, for instance, > .../friend/Joe/Pets/Jeets/breed the user had access to the his friend > Joes's pets, but not their breed. How would you enforce that in this > case? Honest question because as I've said before I'm fairly new to > web2py > You can use the web2py Auth system to define user permissions on particular records. parse_as_rest() then takes a "query" argument, which can be either a single query or a dictionary of queries per table. The query restricts the set of returned records, so you could define it to include only the records the user is authorized to view. To facilitate this, you can use the auth.accessible_query() method (see http://web2py.com/books/default/chapter/29/9#Authorization). Restricting access to a particular field would take a little extra work. In that case, you would either have to parse the field out of the URL and check permissions on it, or get the returned records and then confirm that the user has permissions on all the fields included in the result. Anthony
