Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Changes between Version 5 and Version 6 of IdentityManagement


Ignore:
Timestamp:
11/25/05 20:39:50 (14 years ago)
Author:
ggodfrey+turbogears@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • IdentityManagement

    v5 v6  
    178178 
    179179''Option number 2 only works if your using a Model that supports groups on the user object. So, with the default model you’ll be set. Other models might not work so well.'' 
     180 
     181---- 
     182=== Restricting Access to whole Subdirectory === 
     183 
     184(from mailing list) 
     185 
     186You should be able to restrict access to a subdirectory by subclassing SecureResource in your descendent objects. So you might have the following: 
     187 
     188{{{ 
     189class Toxicologia(controller.Controller, identity.SecureResource): 
     190     required_permissions= ["write"] 
     191     required_groups= ["admin"] 
     192     allowed_hosts= ["127.0.0.1"] 
     193     identity_required= True 
     194}}} 
     195 
     196You can apply whatever decorators you want on the methods of the 
     197Toxicologia instance. So each method could have additional 
     198restrictions. And Toxicologia could have SecureObjects as well. 
     199However, access to exposed methods of Toxicologia and any 
     200SecureObjects would have to satisfy the authorisation requirements 
     201for Toxicologia. 
     202 
     203---- 
     204=== Specifying an 'or' type for group Access === 
     205 
     206There are two ways to handle this: 
     207 
     208'''1''' Derive your Controller from SecureResource (in addition to 
     209Controller) and check the permissions explicitly. For example: 
     210 
     211{{{ 
     212class MyController( controllers.Controller, identity.SecureResource ): 
     213 
     214     @turbogears.expose( html="mytemplate" ) 
     215     def myFunction( self ): 
     216         if not ("admin" in identity.current.groups or \ 
     217                 "super" in identity.current.groups): 
     218             raise identity.GroupMembershipRequiredException( ("admin", "super") ) 
     219}}} 
     220 
     221This will work because SecureResource wraps all exposed methods with 
     222code that checks permissions and traps IdentityExceptions. So if your 
     223code throws, er, raises an IdentityException, everything will be 
     224handled correctly. 
     225 
     226Of course, you can then pull your authorisation logic out into a 
     227function that you call rather than copying and pasting into each 
     228function that requires it. 
     229 
     230'''2''' Write your own decorator function. This is not for the faint at 
     231heart. But it gives you absolute flexibility. Take a look at the two 
     232decorators in turbogears/identity/conditions.py. They'll give you a 
     233head-start on what you'll have to do. 
     234