I am trying to understand how Twisted Web security works, based on a few links:<div><br></div><div><a href="http://jcalderone.livejournal.com/53074.html">http://jcalderone.livejournal.com/53074.html</a></div><div><a href="http://twistedmatrix.com/documents/current/web/howto/web-in-60/http-auth.html">http://twistedmatrix.com/documents/current/web/howto/web-in-60/http-auth.html</a></div>
<div><br></div><div>They all explain how to set up a web app with let's say HTTP auth.</div><div><br></div><div>But there are no examples on how a Resource method (let;s say render_GET) could get access to the current Avatar object?</div>
<div>And does the Avatar object need to implement some specific interface?</div><div><br></div><div>What I want to do in CorePost is to allow fine grained privilege-based security <b>per method</b> (similar in style to Spring Security, for those who know it), e.g.:</div>
<div><br></div><div><div> @route("/user",Http.GET)</div><div> @secured("BROWSE_USER")</div><div> def getUser(self,request,**kwargs):</div><div> return ...some user info...</div></div><div>
<br></div><div><br></div><div><div><div> @route("/user",Http.POST)</div><div> @secured("UPDATE_USER")</div><div> def updateUser(self,request,userId,**kwargs):</div><div> ...create new user, etc...</div>
</div></div><div><br></div><div>If the Avatar does not have the required privileges (e.g. "BROWSE_USER" or "UPDATE_USER" in the example above), I want to throw a 403 Access Denied automatically.</div><div>
<br></div><div>Thanks for any pointers</div><div><br></div><div>Jacek</div><div><a href="https://github.com/jacek99/corepost">https://github.com/jacek99/corepost</a></div><div><br></div><div><br></div>