[Twisted-web] Get access to Avatar from Resource object?

[Jacek Furmankiewicz]

I am trying to understand how Twisted Web security works, based on a few
links:

http://jcalderone.livejournal.com/53074.html
http://twistedmatrix.com/documents/current/web/howto/web-in-60/http-auth.html

They all explain how to set up a web app with let's say HTTP auth.

But there are no examples on how a Resource method (let;s say render_GET)
could get access to the current Avatar object?
And does the Avatar object need to implement some specific interface?

What I want to do in CorePost is to allow fine grained privilege-based
security *per method* (similar in style to Spring Security, for those who
know it), e.g.:

    @route("/user",Http.GET)
    @secured("BROWSE_USER")
    def getUser(self,request,**kwargs):
        return ...some user info...


    @route("/user",Http.POST)
    @secured("UPDATE_USER")
    def updateUser(self,request,userId,**kwargs):
        ...create new user, etc...

If the Avatar does not have the required privileges (e.g. "BROWSE_USER" or
"UPDATE_USER" in the example above), I want to throw a 403 Access Denied
automatically.

Thanks for any pointers

Jacek
https://github.com/jacek99/corepost
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20120222/16860d59/attachment.htm