Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2364 (closed documentation: fixed)

Opened 8 years ago

Last modified 8 years ago

Document protection of static files via the identity framework in TG1

Reported by: Chris Arndt Owned by: Chris Arndt
Priority: normal Milestone: 1.1
Component: Documentation Version: 1.0
Severity: normal Keywords: identity, static files, needs documentation
Cc:

Description

There is a feature for protecting static files via the identity framework in TG1 using appropriate config entries, which currently seems undocumented.

See this  mailing list thread for details.

Change History

comment:1 Changed 8 years ago by Chris Arndt

  • Owner changed from carndt to Chris Arndt
  • Status changed from new to assigned

comment:2 Changed 8 years ago by Chris Arndt

I did some test with this functionality today and it turns out the code in SecureResource to read the identity predicate from the configuration is buggy and rather useless:

1) URLs served by the CherryPy static filter bypass the controller tree completely, so there's nowhere to attach a SecureResource mix-in too.

2) Even if it were possible, you can't set a identity predicate object instance in a config file, you have to do it in your Python code with config.update(). Which somehow defeats the purpose of having a configuration setting for this at all. It seems that at the time when Jeff Watkins wrote this, the configuration was still Python code, so I guess it made sense then.

3) When SecureResource checks the identity.require setting it doesn't specify a config path, so you can't do something like this:

[/path/to/controller]
identity.require = ???

resp.

config.update({'/path/to/controller': {
    'identity.require': identity.not_anonymous()}}

You are only able to set one identity predicate globally, which is rather limiting.

4) Finally the current code in the 1.1/1.5 branches has a name error bug: it uses turbogears.config.get but the top-level package is not imported, so it should be config.get. This bug only manifests itself when the SecureObject instance has no 'require' attribute (fixed in SVN now).

I have written a small controller, which emulates the CherryPy static filter and implements reading identity permissions from the configuration:

 http://paste.chrisarndt.de/paste/ec93b89991404056963c9241e3ff58eb

I will add this recipe to  http://docs.turbogears.org/1.1/StaticFiles.

comment:3 Changed 8 years ago by Chris Arndt

  • Status changed from assigned to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.