identity.SecureObject doesn't cascade down to subcontrollers?

2 views
Skip to first unread message

Daniel Fetchinson

unread,
Feb 12, 2009, 2:44:06 AM2/12/09
to turbogears
If I have nested controllers like so:

class A1( RootController ):
A2 = identity.SecureObject( A2, identity.in_group( 'test' ) )

class A2( Controller ):
@expose( )
def meth2( self ): return dict( )
A3 = A3( )

class A3( Controller ):
@expose( )
def meth3( self ): return dict( )

then access to /A1/A2/meth2 is limited, as expected, by the
identity.SecureObject construction. But if I access /A1/A2/A3/meth3
there is no access limitation! I would have thought that if there is
identity involved anywhere in the object dispatch chain access will be
limited accordingly. Is it a feature or a bug?

I'm using tg 1.1b3

Cheers,
Daniel

--
Psss, psss, put it down! - http://www.cafepress.com/putitdown

Daniel Fetchinson

unread,
Feb 13, 2009, 2:15:25 PM2/13/09
to turbogears
> If I have nested controllers like so:
>
> class A1( RootController ):
> A2 = identity.SecureObject( A2, identity.in_group( 'test' ) )
>
> class A2( Controller ):
> @expose( )
> def meth2( self ): return dict( )
> A3 = A3( )
>
> class A3( Controller ):
> @expose( )
> def meth3( self ): return dict( )
>
> then access to /A1/A2/meth2 is limited, as expected, by the
> identity.SecureObject construction. But if I access /A1/A2/A3/meth3
> there is no access limitation! I would have thought that if there is
> identity involved anywhere in the object dispatch chain access will be
> limited accordingly. Is it a feature or a bug?
>
> I'm using tg 1.1b3


Submitted a ticket on this:

http://trac.turbogears.org/ticket/2207

Mark Ramm

unread,
Feb 14, 2009, 7:41:57 AM2/14/09
to turbo...@googlegroups.com
In my understanding this is the expected behavior.

SecureObject just secures that one object, but if you want to secure
the whole controller class you should make it subclass SecureResource.

This is all documented here:

http://docs.turbogears.org/1.0/UsingIdentity#protecting-resources
--
Mark Ramm-Christensen
email: mark at compoundthinking dot com
blog: www.compoundthinking.com/blog

Daniel Fetchinson

unread,
Feb 14, 2009, 10:44:00 PM2/14/09
to turbo...@googlegroups.com
> In my understanding this is the expected behavior.
>
> SecureObject just secures that one object, but if you want to secure
> the whole controller class you should make it subclass SecureResource.
>
> This is all documented here:
>
> http://docs.turbogears.org/1.0/UsingIdentity#protecting-resources

I'm not saying I understand everything around this topic, but Florent
has just increased the priority of this ticket to highest and severity
to major which made me think that this behaviour is not intended.

Anyway, I'll try using SecureResource in the meantime.

Cheers,
Daniel

Florent Aide

unread,
Feb 15, 2009, 3:43:45 AM2/15/09
to turbo...@googlegroups.com
On Sun, Feb 15, 2009 at 4:44 AM, Daniel Fetchinson
<fetch...@googlemail.com> wrote:
>
>> In my understanding this is the expected behavior.
>>
>> SecureObject just secures that one object, but if you want to secure
>> the whole controller class you should make it subclass SecureResource.
>>
>> This is all documented here:
>>
>> http://docs.turbogears.org/1.0/UsingIdentity#protecting-resources
>
> I'm not saying I understand everything around this topic, but Florent
> has just increased the priority of this ticket to highest and severity
> to major which made me think that this behaviour is not intended.
>
> Anyway, I'll try using SecureResource in the meantime.

Well at least the docs around catwalk are unclear and could lead
people to this situation, but Mark is right... SecureResource is the
way to go for your use case.

Florent.

Daniel Fetchinson

unread,
Feb 18, 2009, 1:53:21 AM2/18/09
to turbo...@googlegroups.com

Mark, Florent, it turns out identity.SecureResource doesn't cascade
down to subcontrollers either. This contradicts the docs on the point
Mark mentioned too, i.e.

"""
Protecting a Controller

To restrict access to an entire controller (i.e. a whole URL subtree),
add identity.SecureResource to the base classes of your Controller and
add a require attribute at the class level:
"""

I added identity.SecureResource to the base class of CatWalk, but the URL

/admin/browse/?object_name=mytable

is still accessible and the access restriction is only applied to
/admin itself. (Assuming that I have "mounted" the catwalk controller
as admin.

I've updated the ticket.

Reply all
Reply to author
Forward
0 new messages