advice about `correct' use of decorator
Gerardo Herzig
gherzig at fmed.uba.ar
Fri Aug 17 12:14:13 EDT 2007
Laszlo Nagy wrote:
>
>>>
>>> Are you developing a website or a GUI program?
>>>
>>>
>> It will be used in a web development. It is an important point?
>
> Yes, I think. Unless you use AJAX. :-) Most web sites work this way:
>
> user clicks -> request to server -> process on server -> response
>
> I would rather enclose the whole handler in try/except and raise a
> custom PermissionDenied exception when the user has inscuficient
> permissions. There are problems with a decorator used for
> authorization. The context needs to be determined. E.g. which user is
> accessing the method? (It can be hard to tell if the method is part of
> a thread object that lies in a thread pool and is shared between
> simultaneous clients...) Also it might be that the method's purpose is
> to change objects of the same class, and the user has permission to
> modify one object but not the other. In this case, authorization must
> be done inside the function call... How do you express this with a
> decorator?
>
> These are just ideas. You should analyze your problem and make your
> decision. If you only want to restrict access to functions, then
> probably using decorators is perfect.
>
> Best,
>
> Laszlo
>
>
I post the change_pass() function as an example, there is a buch of
other functions (the whole site actually) that will require a logged
user. May the change_pass() function have additional control, shure,
but it will be not part of the `global' requirement.
Thank you very much for your time, Laszlo
Gerardo
More information about the Python-list
mailing list