I'm in the early stages of designing a my first Pyramid app and I was
hoping for some verification on my approach to instance level
authorization. Most of the stock documentation discusses global ACLs
which apply to an entire class, not individual instances of that
class. Consider a simple CMS which lets users create pages then only
edit the pages they create.
My thought goes something like this:
Configure each route with a factory, to generate a context object:
config.add_route('edit_page', 'edit_page/{page}',
factory='myproject.resources.PageFactory')
In this case the PageFactory would return the {page} instance of the
Page model. Then configure a view for the route with some permission
requirement.
config.add_view('myproject.views.edit_page', route_name='edit_page',
permission='edit')
??? I'm not clear what the difference is between passing a factory to
the add_route vs. passing a context to add_view. I believe the factory
can create a specific instance of a "Page" and pass it to the view. I
don't know what the context would be if I passed
context="myproject.resources.Page" to add_view.
Then, within the constructor for a Page, created by the PageFactory,
an acl decorator would be set to that instance based on the owner.
Something like...
def __init__(self,...):
self.__acl__ = [
(Allow, Everyone, 'view'),
(Allow, 'user:owners_name_from_db', 'edit'),
]
Then, only a person who is authenticated as "owners_name_from_db"
would be allowed to view the edit_page view. The value of
owners_name_from_db would be loaded as part of the object when it was
instantiated by the PageFactory.
I'm really sketchy on how this all fits together. The documentation is
great, if you're making a site where a group of editors can edit
everything, but not so much when you want individuals to be able to
edit specific instances.
I appreciate any advice,
Brian
--
You received this message because you are subscribed to the Google Groups
"pylons-devel" group.
To post to this group, send email to pylons-devel@googlegroups.com.
To unsubscribe from this group, send email to
pylons-devel+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-devel?hl=en.
