durusmail: quixote-users: Extension of _q_access
Extension of _q_access
2004-05-23
Maas-Maarten Zeeman
2004-05-25
Evan LaForge
2004-05-26
Oscar Rambla
2004-05-26
Maas-Maarten Zeeman
Extension of _q_access
Maas-Maarten Zeeman
2004-05-23
Hello,

I would like to ask feedback for an idea. Quixote applications can use
_q_access to perform access checks. During development it struck me as
odd that _q_access only has knowledge about the request being made, and
not about the attribute that will be accessed by quixote. This makes it
hard if you want unlimited access to an attribute of you object. After
browsing through the quixote code I found out that it is possible to add
a parameter to the _q_access call which makes this possible.

    publish.py

    757     # Second security check: call _q_access function if it's
present.
    758     if hasattr(container, '_q_access'):
    759         # will raise AccessError if access failed
    760         container._q_access(request, component) # <- extra parameter

This allows for more fine grained access control if needed.

Something like

    def _q_access(request, name):
        if request.session.user is None and name == "private_thing":
            raise AccessError('You must be logged in to access
"private_thing".')

would then be possible.

It is also possible to stay backward compatible with old application
code by checking the arity of the _q_access method before calling.

What do you think? Would it be worth to add the extra parameter or not?
Or is it better to do this in a different way, like in the exported
methods themselves?

Regards,

Maas
reply