On Wed, Jul 8, 2009 at 9:44 AM, Speedbird <ju...@techfuel.net> wrote:
>
> From Yarko:
> #
> #...@user.is_logged_in
> #def my secure function
> #
> #A user (class) validating access to sensitive information.... ugh!
>
> Perhaps I am a little lost here Yarko, what would then be the
> alternative to the above syntax?
All I was saying is this is more "centered" in authorization (one place
responsible for related things),
same syntax but different classes, focus:
@auth.requires_login
@auth.requires_membership( 'this_group_manager' )
def my restricted_funcion():
# code here...
For me, this reads better, looks more correct, is more appropriate
structurally than "user is..." etc.
user.has_role to me looks more like a test, so I can add or remove - that
is, do actions on a user's record.
auth.whatever is the gatekeeper - what protects target to appropriate
actors.
Does this makes sense?
live users present credentials (since we don't expect robotic login, we
don't model this);
system keeps user issued credentials - just like organization keeps record
of your birth, or licensing, etc. to ensure against forgeries... that's the
user record, and I expect user class to hold actions to manage the user
record (NOT to manage access - only to help AUTH validate access);
and a gatekeeper - auth in this case - controls access by comparing each
(like the customs person at the airport).
This naturally locates responsibilities (actions, record-keeping) where they
naturally belong.
"user,is_loggedin" is underresponsible - as if "anyone" can check (or
forget to), and does not mirror "real world" systems (birth, customs,
licensing, identification, visa transactions, etc. etc. etc.).
.... and Massimo is right, this has gone off topic...
It's about a fundamental way of thinking, modeling things that reflects
real-world (e.g. "model") and the problem at hand.
Auth (authentication / authorization) functions: needs to be logged in;
needs to have membership
> - I am asking this because at least
> in the Zope realm, this is rather common (i.e.
> AUTHENTICATED_USER.has_role([rolelist] or even
> AUTHENTICATED_USER.has_permissions(permission, object)) though
> security implementation can obviously be applied differently, the
> examples I am stating are relatively common and I don't see this being
> an issue for any of the security purists out there. I think I am
> missing something here.
>
> Thanks,
>
> -- Julio
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
