On 10:47 am, michal.dtz@gmail.com wrote:
Jeff Rush pisze:
Michal Pasternak wrote:
I think you can write one easily. The question is, do you really need one? :-)
AFAIK, in Twisted, the URL tree is constructed piece by piece using a series of .putChild('segment', resource) calls (or child_XXX class attributes) which if you construct a complex tree with lots of conditionals based on the access rights of the user, can be messy.
Or, you can override locateChild().
I would definitely do this reactively, in locateChild, rather than try to build up the whole hierarchy beforehand.
Conditionals make the code messy. That's why I like the idea of returning trees of resources, that wrap the avatar object and know nothing about access control.
They're not just messy. If you need to put the knowledge of your security model into your application logic, there's a chance you screw up, and when you screw up, you have a security hole. If the security logic always lives somewhere else, then you can apply security to application logic without changing what the application code does, and you only have to look at your security code for security bugs, not every line of code you've ever written in any application.