class A1( RootController ):
A2 = identity.SecureObject( A2, identity.in_group( 'test' ) )
class A2( Controller ):
@expose( )
def meth2( self ): return dict( )
A3 = A3( )
class A3( Controller ):
@expose( )
def meth3( self ): return dict( )
then access to /A1/A2/meth2 is limited, as expected, by the
identity.SecureObject construction. But if I access /A1/A2/A3/meth3
there is no access limitation! I would have thought that if there is
identity involved anywhere in the object dispatch chain access will be
limited accordingly. Is it a feature or a bug?
I'm using tg 1.1b3
Cheers,
Daniel
--
Psss, psss, put it down! - http://www.cafepress.com/putitdown
Submitted a ticket on this:
http://trac.turbogears.org/ticket/2207
Well at least the docs around catwalk are unclear and could lead
people to this situation, but Mark is right... SecureResource is the
way to go for your use case.
Florent.
Mark, Florent, it turns out identity.SecureResource doesn't cascade
down to subcontrollers either. This contradicts the docs on the point
Mark mentioned too, i.e.
"""
Protecting a Controller
To restrict access to an entire controller (i.e. a whole URL subtree),
add identity.SecureResource to the base classes of your Controller and
add a require attribute at the class level:
"""
I added identity.SecureResource to the base class of CatWalk, but the URL
/admin/browse/?object_name=mytable
is still accessible and the access restriction is only applied to
/admin itself. (Assuming that I have "mounted" the catwalk controller
as admin.
I've updated the ticket.