Re: Django ACL Design Question

Tim Chase Mon, 20 Apr 2009 03:35:57 -0700

>    def MustHavePermission(*required_perms):
>      def decorate(f):
>        def new_f(request, *args, **kwargs):
>          perms = UserCompanies.objects.filter(
>            user=request.user,
>            company=determine_company(request),
>            )
>          for perm in required_perms:
>            perms = perms.filter(permission=perm)
>          if not perms:
>            raise Http403("Sorry, Dave, I can't let you do that.")
>          return f(request, *args, **kwargs)
>        return new_f
>      return decorate


I noticed some serious bogosity in this logic (it only passed if 
a single permission was required, never if multiple permissions 
were required).  That innermost function should be something like

   def new_f(request, *args, **kwargs):
     have = set(
       UserCompanies.objects.filter(
         user=request.user,
         company=determine_company(request)
         ).values_list("permission", flat=True)
       )
     if have.issuperset(set(required_perms)):
       return f(request, *args, **kwargs)
     raise Http403("No way, Jose!")


-tim




--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Re: Django ACL Design Question

Reply via email to