How to pass a complex validation object to a forbidden view?

10 views
Skip to first unread message

Sean Hammond

unread,
Aug 29, 2022, 1:53:25 PM8/29/22
to pylons-...@googlegroups.com
If a view raises an exception, say a custom ValidationError class, then that ValidationError object is set as request.exception when the exception view is called (if you have registered a matching custom exception view).

On the other hand if a security policy denies access (returning a Denied object) then the forbidden view (again: if you've registered one) gets called with an HTTPForbidden object as request.exception.

Is there a nice way to attach a custom error object to the forbidden view? For example by replacing the HTTPForbidden with a custom exception class, or by attaching an exception or dict to the HTTPForbidden?

The Denied object that the security policy returned is available to the forbidden view as request.exception.result. The Denied class's only attribute is a msg string. But I suppose the security policy could just attach a custom attribute to the Denied object?

Or would you implement a custom subclass of Denied? That's what ACLSecurityPolicy seems to do.

Thanks!

Michael Merickel

unread,
Aug 29, 2022, 2:12:40 PM8/29/22
to pylons-...@googlegroups.com
You’re free to subclass HTTPForbidden or just extend it. You can also subclass Denied as you noted. The big question to me is whether you can control the generation of that object to use the subclass and off the top of my head I think it’s always done in user code right now if you’re using the new SecurityPolicy interface but I could be wrong! You just have to program the forbidden view a little defensively or make a separate one for your subclass so that you can still handle exceptions generated from code you may not control.

- Michael

> On Aug 29, 2022, at 13:53, Sean Hammond <pylons-...@snhmnd.fastmail.com> wrote:
>
> If a view raises an exception, say a custom ValidationError class, then that ValidationError object is set as request.exception when the exception view is called (if you have registered a matching custom exception view).
> --
> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/bcf4aa9c-205d-4dc1-a684-20fa1f59a889%40www.fastmail.com.

Sean Hammond

unread,
Aug 29, 2022, 2:22:10 PM8/29/22
to pylons-...@googlegroups.com
> You’re free to subclass HTTPForbidden or just extend it.

But if I subclass HTTPForbidden, how do I get an instance of my subclass to be passed to the forbidden view (as request.exception) instead of the standard HTTPForbidden class? I thought it was Pyramid rather than user code that constructs that HTTPForbidden object.

> You can also
> subclass Denied as you noted. The big question to me is whether you can
> control the generation of that object to use the subclass and off the
> top of my head I think it’s always done in user code right now if
> you’re using the new SecurityPolicy interface but I could be wrong!

Yeah, this looks to me like it would work. I'll give it a try

> You
> just have to program the forbidden view a little defensively or make a
> separate one for your subclass so that you can still handle exceptions
> generated from code you may not control.

Yep, good tip

Michael Merickel

unread,
Aug 29, 2022, 6:51:08 PM8/29/22
to pylons-...@googlegroups.com
Yeah sorry I looked at the ISecurityPolicy after your comments and subclassing HTTPForbidden probably isn’t the best option in general because you don’t control all of its call sites. For your security policy you likely want to return a subclass of Denied and detect that in your forbidden view.

If you have a need to pass that info explicitly from elsewhere in your codebase it may be convenient to define a HTTPForbidden subclass for easier raising. It’d just be a thin wrapper to set the right Denied subclass.

- Michael

> On Aug 29, 2022, at 14:22, Sean Hammond <pylons-...@snhmnd.fastmail.com> wrote:
>
> 
> --
> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/4663be4d-4334-4c7d-b24e-1101866dd571%40www.fastmail.com.
Reply all
Reply to author
Forward
0 new messages