Changeset 4809

Timestamp:

06/24/08 11:52:44 (5 months ago)

Author:

faide

Message:

This is the first part of the implementation for the SecureController?. The rest will be in the quickstart template.

Files:

• trunk/tg/controllers.py (modified) (26 diffs)

trunk/tg/controllers.py

@@ -3 +3 @@
-
-  DecoratedController allows the decorators in tg.decorators to work
-
+
-  ObjectDispatchController is a specialised form of DecoratedController that
-  converts URL portions into traversing Python objects.  This controller is
-  usable in plain pylons if you route to it's "routes_placeholder" method
-
+
-  TGController is a specialised form of ObjectDispatchController that forms the
-  basis of standard TurboGears controllers.  The "Root" controller of a standard
@@ -20 +20 @@
-import pylons
-from pylons.controllers import WSGIController
-
-from pylons.controllers.util import abort
-
-
+, HTTPClientError
-from tw.api import Widget
+from webob.exc import HTTPForbidden
-
-log = logging.getLogger(__name__)
@@ -45 +45 @@
-    The decorators in tg.decorators create an attribute named 'decoration' on
-    the controller method, creating rules as to:
-
+
-    1) how to validate the request,
-    2) how to render the response,
-    3) allowing hooks to be registered to happen:
-
+
-        a) before validation
-        b) before the controller method is called
@@ -71 +71 @@
-
-        The before_render hook provides a place for functions that are called
- 
+
-        add and remove from the dictionary returned by the controller method,
-        before it is passed to rendering.
@@ -78 +78 @@
-        rendering.
-        """
-
+
-        self._initialize_validation_context()
-
@@ -100 +100 @@
-
-        except formencode.api.Invalid, inv:
- 
+
-                                                                remainder,
-                                                                params, inv)
@@ -135 +135 @@
-        if validation is None:
-            return params
-
+
-        #Initialize new_params -- if it never gets updated just return params
-        new_params = {}
-
+
-        # The validator may be a dictionary, a FormEncode Schema object, or any
-        # object with a "validate" method.
@@ -166 +166 @@
-                    formencode.schema.format_compound_error(errors),
-                    params, None, error_dict=errors)
-
+
-        elif isinstance(validation.validators, formencode.Schema):
-            # A FormEncode Schema object - to_python converts the incoming
-            # parameters to sanitized Python values
-            new_params = validation.validators.to_python(params)
-
+
-        elif hasattr(validation.validators, 'validate'):
-            # An object with a "validate" method - call it with the parameters
-            new_params = validation.validators.validate(params)
-
+
-        # Theoretically this should not happen...
-        if new_params is None:
-            return params
-
+
-        return new_params
-
@@ -204 +204 @@
-
-        # Always set content type
- 
+
-        req = pylons.request
-
@@ -218 +218 @@
-                    warnings.warn(msg, DeprecationWarning)
-                    setattr(pylons.c.w, key, item)
-
+
-        # Prepare the engine, if it's not already been prepared.
-        if engine_name not in _configured_engines():
@@ -228 +228 @@
-        #if there is an identity, push it to the pylons template context
-        pylons.tmpl_context.identity = pylons.request.environ.get('repoze.who.identity')
-
+
-        # Setup the template namespace, removing anything that the user
-        # has marked to be excluded.
@@ -262 +262 @@
-
-        pylons.c.validation_exception = exception
- 
-
+
+
-        # Most Invalid objects come back with a list of errors in the format:
-        #"fieldname1: error\nfieldname2: error"
@@ -272 +272 @@
-            field_value = error.split(':')
-
- 
+
-            #return the error as a global form error
-            if len(field_value) == 1:
@@ -279 +279 @@
-
-            pylons.c.form_errors[field_value[0]] = field_value[1].strip()
-
+
-        pylons.c.form_values = exception.value
-
@@ -292 +292 @@
-
-        return error_handler, output
-
+
-    def _initialize_validation_context(self):
-        pylons.c.form_errors = {}
@@ -349 +349 @@
-            url_path = pylons.request.path.split('/')[1:]
-        else:
- 
-
+
+
-        controller, remainder = _object_dispatch(self, url_path)
-        # XXX Place controller url at context temporarily... we should be
@@ -364 +364 @@
-    def _perform_call(self, func, args):
-        controller, remainder, params = self._get_routing_info(args.get('url'))
-self, controller, params,
-                                    
-
-        
+
+self, controller, params,
+
+
-        """
-        This function does not do anything.  It is a placeholder that allows
@@ -383 +383 @@
-            obj, remainder = _find_object(obj, remainder, notfound_handlers)
-            return obj, remainder
+
+        # identity error should be treated separatly from "not found" errors
+        except HTTPForbidden, httpe:
+            log.debug("a 403 error occured for obj: %s" % obj)
+            raise
+
-        except HTTPException:
-            if not notfound_handlers:
-                raise HTTPNotFound().exception
+
-            name, obj, remainder = notfound_handlers.pop()
-            if name == 'default':
-                return obj, remainder
+
-            else:
-                obj, remainder = obj(*remainder)
@@ -397 +405 @@
-        if obj is None:
-            raise HTTPNotFound().exception
+
+        _check_security(obj)
+
-        if _iscontroller(obj):
-            return obj, remainder
@@ -415 +426 @@
-        if not remainder:
-            raise HTTPNotFound().exception
+
-        obj = getattr(obj, remainder[0], None)
-        remainder = remainder[1:]
+
+def _check_security(obj):
+    """this function checks if a controller has a 'require' attribute and if
+    it is the case, test that this require predicate can be evaled to True.
+    It will raise a Forbidden exception if the predicate is not valid.
+    """
+    if hasattr(obj, "im_self"):
+        klass_instance = obj.im_self
+    else:
+        klass_instance = obj
+
+    if hasattr(klass_instance, "check_security"):
+        if not klass_instance.check_security():
+            raise HTTPForbidden().exception
+            #abort(403)
-
-def _iscontroller(obj):
@@ -429 +456 @@
-    An ObjectDispatchController-derived class for stock-standard TurboGears
-    controllers.
-
- 
+
+
-    object dispatch tree, but it MUST be used in the Root controller
-
+n
-    using Routes.
-    """
-
+
-    def _perform_call(self, func, args):
-        setup_i18n()
-        routingArgs = None
-
+
-        if isinstance(args, dict) and 'url' in args:
-            routingArgs = args['url']
-
+
-        try:
-            controller, remainder, params = self._get_routing_info(routingArgs)
-            result = DecoratedController._perform_call(
-                self, controller, params, remainder=remainder)
+
-        except HTTPException, httpe:
-            result = httpe
@@ -467 +495 @@
-    if not params:
-        params = {}
-
+
-    curent_url = pylons.request.url
-    url = urlparse.urljoin(curent_url, url)
@@ -476 +504 @@
-        url = url.encode('utf8')
-    found = HTTPFound(location=url).exception
-
+
-    #TODO: Make this work with WebOb
-
+
-    ## Merging cookies and headers from global response into redirect
-    #for header in pylons.response.headerlist:
@@ -495 +523 @@
-        app_root = pylons.request.application_url[len(pylons.request.host_url):]
-        tgpath = app_root + tgpath
- 
+
-        result = tgpath
-    else:
- 
+
-
-    if tgparams is None:
@@ -525 +553 @@
-        result += "?" + "&".join(args)
-    return result
-
+
-
-def setup_i18n():
@@ -543 +571 @@
-            set_lang(languages[0])
-            log.info("Set request language to %s", languages[0])
- 
- 
+
+
-    "url", "redirect"
-    ]