[Twisted-web] Finer-Grained Security System for Twisted Web/Nevow?

glyph at divmod.com glyph at divmod.com
Mon Apr 20 13:39:16 EDT 2009


On 10:47 am, michal.dtz at gmail.com wrote:
>Jeff Rush pisze:
>>Michal Pasternak wrote:

>I think you can write one easily. The question is, do you really need 
>one? :-)
>>AFAIK, in Twisted, the URL tree is constructed piece by piece using a 
>>series
>>of .putChild('segment', resource) calls (or child_XXX class 
>>attributes) which
>>if you construct a complex tree with lots of conditionals based on the 
>>access
>>rights of the user, can be messy.

>Or, you can override locateChild().

I would definitely do this reactively, in locateChild, rather than try 
to build up the whole hierarchy beforehand.
>Conditionals make the code messy. That's why I like the idea of 
>returning trees of resources, that wrap the avatar object and know 
>nothing about access control.

They're not just messy.  If you need to put the knowledge of your 
security model into your application logic, there's a chance you screw 
up, and when you screw up, you have a security hole.  If the security 
logic always lives somewhere else, then you can apply security to 
application logic without changing what the application code does, and 
you only have to look at your security code for security bugs, not every 
line of code you've ever written in any application.



More information about the Twisted-web mailing list