On Feb 23, 2012, at 4:09 PM, Jacek Furmankiewicz wrote:
Ah, I think I get it.
Hooray!
So Avatar = root resource that this user can access, correct?
Yes, that is exactly correct!
(More generally: root protocol-specific thing that a user can access, since this applies to other authenticated protocols as well, and ideally, eventually, all protocols within Twisted.)
That is quite flexible actually. It's like you can serve a totally different application (i.e. resource) to the user depending on their credentials/roles/etc.
Yup. And you can write wrappers in whatever way you see fit. The idea is that instead of inserting "self.makeSureItIsSecure()" checks in (or decorators on) every single method, users without the proper authentication can't even access the objects whose methods they want to call; there's no security error, just a 404. This means that it's much harder to make the mistake where you grant too much authority to anonymous users.
I will wrap my head around it a bit more in the coming weeks and see how I can add the functionality I want (able to add fine grained security per REST method on a resource)
while working in spirit with the twisted.web.guard approach.
Great. I'm really enthusiastic to see what you come up with. Feel free to continue discussing ideas on this list as you're thinking through them - this is an area of Twisted that could stand to be talked about a lot more :).
Thanks to everyone for your help
Always happy to help someone through to the point of actual understanding!
-glyph