Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Changes between Version 5 and Version 6 of IdentityManagement

11/25/05 20:39:50 (14 years ago)



  • IdentityManagement

    v5 v6  
    179179''Option number 2 only works if your using a Model that supports groups on the user object. So, with the default model you’ll be set. Other models might not work so well.'' 
     182=== Restricting Access to whole Subdirectory === 
     184(from mailing list) 
     186You should be able to restrict access to a subdirectory by subclassing SecureResource in your descendent objects. So you might have the following: 
     189class Toxicologia(controller.Controller, identity.SecureResource): 
     190     required_permissions= ["write"] 
     191     required_groups= ["admin"] 
     192     allowed_hosts= [""] 
     193     identity_required= True 
     196You can apply whatever decorators you want on the methods of the 
     197Toxicologia instance. So each method could have additional 
     198restrictions. And Toxicologia could have SecureObjects as well. 
     199However, access to exposed methods of Toxicologia and any 
     200SecureObjects would have to satisfy the authorisation requirements 
     201for Toxicologia. 
     204=== Specifying an 'or' type for group Access === 
     206There are two ways to handle this: 
     208'''1''' Derive your Controller from SecureResource (in addition to 
     209Controller) and check the permissions explicitly. For example: 
     212class MyController( controllers.Controller, identity.SecureResource ): 
     214     @turbogears.expose( html="mytemplate" ) 
     215     def myFunction( self ): 
     216         if not ("admin" in identity.current.groups or \ 
     217                 "super" in identity.current.groups): 
     218             raise identity.GroupMembershipRequiredException( ("admin", "super") ) 
     221This will work because SecureResource wraps all exposed methods with 
     222code that checks permissions and traps IdentityExceptions. So if your 
     223code throws, er, raises an IdentityException, everything will be 
     224handled correctly. 
     226Of course, you can then pull your authorisation logic out into a 
     227function that you call rather than copying and pasting into each 
     228function that requires it. 
     230'''2''' Write your own decorator function. This is not for the faint at 
     231heart. But it gives you absolute flexibility. Take a look at the two 
     232decorators in turbogears/identity/conditions.py. They'll give you a 
     233head-start on what you'll have to do.