[Twisted-web] newbiew question

Maarten ter Huurne maarten at treewalker.org
Wed Jul 23 15:30:33 EDT 2008 

On Wednesday 23 July 2008, Christopher Armstrong wrote:
> On Tue, Jul 22, 2008 at 11:26 PM, Maarten ter Huurne
> <maarten at treewalker.org> wrote:
>
> > The information about the user does not belong in any Resource
> > subclass: a Resource is a page that can be generated for different
> > users, so it should only contain information that is the same for all
> > users. Any user specific data should be fetched via the request object.
>
> This is totally inaccurate. It's perfectly reasonable to store
> user-specific data in Resource objects.  "a Resource is a page that
> can be generated for different users" is either irrelevant or not
> true, I can't tell which. You can dynamically and return Resources
> based on which user is making the request.

Ah, I never realized it could be used like that. I thought "resource" was 
intended to be used as "something reachable by URL", with a 1:1 mapping of 
URL path to Resource instance. Sorry for spreading misinformation.

It is still not entirely clear to me what an avatar is though and how it 
relates to resources and authorization.

When accessing a file system, would the "traditional" authorization approach 
be to have permission bits on every file indicating whether that file can 
be read or written by a certain users, while the "avatar" approach would be 
to give the user a chroot environment with only files under it that that 
user should have access to?

On Wednesday 23 July 2008, Phil Mayers wrote:
> Since this is a common mis-conception (one I suffered from and have now
> disabused myself of) it's worth discussing.
>
> If my understanding is correct: twisted.cred uses the concept of an
> "avatar". Avatars (I think...):
>
>   * are protocol objects
>   * represent the user
>
> In twisted.web, the Resource *is* the avatar. In twisted.mail.imap, the
> Mailbox is the avatar. In twisted.conch, the Shell is the avatar (and so
> on).

In what way does the avatar represent the user? Is it like a Mars lander 
representing the control team on Earth?

> I found this initially confusing, because in many web frameworks e.g.
> Zope, where I came from, the objects representing resources are:
>
>   * long lived
>   * the same instances serve >1 HTTP request
>   * instantiated at process start time

That is the approach I was familiar with from Java servlets and from 
Webware. Since this approach can be mapped onto twisted.web easily I never 
realized it was designed for a different approach.

On Wednesday 23 July 2008, Jean-Paul Calderone wrote:
> Sounds like you're basically on target.  One area that you didn't talk
> much about is what the role of the user object is.  It's possible to
> just examine the user object and then, in your custom Resource, decide
> what to do based on that examination.  A more powerful approach is to
> actually delegate those decisions to the user object (and this is why
> twisted.web.guard makes the user object a Resource).  This removes all
> checking from your code and just makes the right code for each user
> execute automatically.  Explicit checking is tedious and error prone.
> Delegating all authorization decisions to the avatar simplifies the
> code and makes it less likely that you'll introduce a security issue.

Does this mean the top-level Resource node is the user object, so in fact 
there is a user-specific Resource tree?

Bye,
		Maarten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
Url : http://twistedmatrix.com/pipermail/twisted-web/attachments/20080723/34d070db/attachment.pgp

More information about the Twisted-web mailing list