Security declarations

Hi,

In the security declarations we have to use the name of the permission.
For me it is more logical and less error sensitive when the string may
be replaced by the class.

The current situation is:

class FooPermssion(grok.Permission):
     grok.name('foo.permission')
     grok.title('Foo Permission')

class FooRole(grok.Role):
     grok.name('foo.Role')
     grok.title('Foo Role')
     grok.permissions(
         'foo.permission', # string
         )

class FooView(grok.View):
     grok.name('index.html')
     grok.require('foo.permission') # string

My preferred situation is:

class FooPermssion(grok.Permission):
     grok.name('foo.permission')
     grok.title('Foo Permission')

class FooRole(grok.Role):
     grok.name('foo.Role')
     grok.title('Foo Role')
     grok.permissions(
         FooPermission,  # class instead of string
         )

class FooView(grok.View):
     grok.name('index.html')
     grok.require(FooPermission) # class instead of string

What do you think?

Regards,

Marc
_______________________________________________
Grok-dev mailing list
Grok-dev@...
https://mail.zope.org/mailman/listinfo/grok-dev

Hey,

Marc Rijken wrote:
> In the security declarations we have to use the name of the permission.
> For me it is more logical and less error sensitive when the string may
> be replaced by the class.

Have you tried this? I thought we had this feature already, at least in
grok.View. I'm not sure whether it also works for grok.Role. If not,
that we should add this.

Regards,

Martijn

_______________________________________________
Grok-dev mailing list
Grok-dev@...
https://mail.zope.org/mailman/listinfo/grok-dev

It's already working this way, that's the way I use it :)

2009/10/9 Marc Rijken <marc@...>: _______________________________________________
Grok-dev mailing list
Grok-dev@...
https://mail.zope.org/mailman/listinfo/grok-dev

Souheil CHELFOUH wrote:
> It's already working this way, that's the way I use it :)

Does it work that way for Role too? I wasn't sure where in the code I
should be looking. :)

Regards,

Martijn

_______________________________________________
Grok-dev mailing list
Grok-dev@...
https://mail.zope.org/mailman/listinfo/grok-dev

I forgot to reply to the list

-------- Originele bericht --------

Onderwerp:	Re: [Grok-dev] Security declarations
Datum:	Fri, 09 Oct 2009 16:59:28 +0200
Van:	Marc Rijken marc@...
Aan:	Martijn Faassen faassen@...

Hi Martijn,

Thanx for your prompt reply. I have tried is in grok0.14. I did not get any errors, but it did not work. When I changed the classes in to strings it did work. I have moved the code to grok1.0 and it works as expected. I'm not sure that was the only difference.

BTW this behaviour is not document on http://grok.zope.org/doc/current/reference/directives.html#security-directives which states  " permission – the name of the permission that is required"

Marc

Op 9-10-2009 16:13, Martijn Faassen schreef:

Hey,

Marc Rijken wrote:
  

In the security declarations we have to use the name of the permission. 
For me it is more logical and less error sensitive when the string may 
be replaced by the class.
    

My preferred situation is:

class FooPermssion(grok.Permission):
     grok.name('foo.permission')
     grok.title('Foo Permission')

class FooRole(grok.Role):
     grok.name('foo.Role')
     grok.title('Foo Role')
     grok.permissions(
         FooPermission,  # class instead of string
         )

class FooView(grok.View):
     grok.name('index.html')
     grok.require(FooPermission) # class instead of string

What do you think?
    

Have you tried this? I thought we had this feature already, at least in 
grok.View. I'm not sure whether it also works for grok.Role. If not, 
that we should add this.

Regards,

Martijn

_______________________________________________
Grok-dev mailing list
Grok-dev@...
https://mail.zope.org/mailman/listinfo/grok-dev
  

_______________________________________________
Grok-dev mailing list
Grok-dev@...
https://mail.zope.org/mailman/listinfo/grok-dev

Hey,

Marc Rijken wrote:
> Thanx for your prompt reply. I have tried is in grok0.14. I did not get
> any errors, but it did not work. When I changed the classes in to
> strings it did work. I have moved the code to grok1.0 and it works as
> expected. I'm not sure that was the only difference.
>
> BTW this behaviour is not document on
> http://grok.zope.org/doc/current/reference/directives.html#security-directives 
> which states  " permission – the name of the permission that is required"

Thanks, that's indeed a documentation bug.

I've updated the documentation to reflect this now in SVN. One question
is whether this really works with Role. I couldn't find a test that
tests this, so that's a testing issue at least. I tried adjusting a test
to try it out, but I got errors in my test run.

This implies that the documentation in SVN is now ahead of the code.
Could someone add a test that tests direct permission references in
grok.Role?

This ought to work:

class MyPermission(grok.Permission):
     ...

class MyPermissions2(grok.Permission):
     ...

class Foo(grok.Role):
     ...
     grok.permissions(MyPermission, MyPermission2)

Thanks, brave test-adder. :)

Regards,

Martijn

_______________________________________________
Grok-dev mailing list
Grok-dev@...
https://mail.zope.org/mailman/listinfo/grok-dev

Martijn Faassen wrote:
I do not think this actually works with Role components currently.

The "trick" that knows how to handle either the Permission component
class itself or the name of this component, is implemented in the
grokcore.security.require() directive.

I agree it should work as symetrical as possible.


Be aware though of the fact that Zope itself still identifies
permissions primarily through their name. So, this could eventually trip
you up in case you're using APIs that work with permissions - such as
permission mappings for example.

As a result we at THA still primarily use the names after all,
identified trough constants in a central permission.py module.


Alas, let's see if we can get the behaviour symetric in the Role components.


regards,
jw

_______________________________________________
Grok-dev mailing list
Grok-dev@...
https://mail.zope.org/mailman/listinfo/grok-dev

Martijn Faassen wrote:
> I've updated the documentation to reflect this now in SVN. One question
> is whether this really works with Role. I couldn't find a test that
> tests this, so that's a testing issue at least. I tried adjusting a test
> to try it out, but I got errors in my test run.
>
> This implies that the documentation in SVN is now ahead of the code.
> Could someone add a test that tests direct permission references in
> grok.Role?

This was indeed not implemented at all in Grok.

Now it is.


I wonder if we should regard this to be a bug in the sense that it
should be ported to the 1.0 maintenance branch as well? If feels a bit
too feature-ish me...


regards,
jw

_______________________________________________
Grok-dev mailing list
Grok-dev@...
https://mail.zope.org/mailman/listinfo/grok-dev

Jan-Wijbrand Kolman wrote:
[class-based permissions for Role]
> This was indeed not implemented at all in Grok.
>
> Now it is.

Great, thanks!

> I wonder if we should regard this to be a bug in the sense that it
> should be ported to the 1.0 maintenance branch as well? If feels a bit
> too feature-ish me...

Let's keep it as a fix in the trunk for now. It can be argued it was a
bug that this wasn't possible, of course. :)

It depends a bit on when we expect 1.1 to see the light of day. If
relatively soon, 1.0 would only be bugfixes.

Regards,

Martijn


_______________________________________________
Grok-dev mailing list
Grok-dev@...
https://mail.zope.org/mailman/listinfo/grok-dev