Mailman 3 newbiew question - Twisted-web

newbiew question

arun chhetri

22 Jul 2008 22 Jul '08

10:47 p.m.

from twisted.web import resource, server from twisted.web import http class HomePage(resource.Resource): def __init__(self): resource.Resource.__init__(self) self.putChild('calendar',Calendar(user=None,pswd=None,server=None)) def render(self,request): return"""<html><body> <a href = calendar>Here is the solution <body> </html>""" def getChild(self,path,request): return Calendar(request.args["user"],request.args["pswd"],request.args["server"]) class Calendar(resource.Resource): def __init__(self,user,pswd,server): resource.Resource.__init__(self) self.user = user self.pswd = pswd self.server = server self.putChild('month',Month(user)) def render(self,request): return"""<p> The user is %s <a href=/calendar/month> The link to the month is this """%self.user[0] def getChild(self,path,request): return Month(self.user[0]) class Month(resource.Resource): def __init__(self,user): resource.Resource.__init__(self) self.user = user def render(self,request): return """ %s"""%self.user if __name__=="__main__": from twisted.internet import reactor root = HomePage() site = server.Site(root) reactor.listenTCP(8000,site) reactor.run() now if i go to http://localhost:8000/?user=arun&pswd=test&server=test i get this The user is arun The link to the month is this and if I click the link then I get None Can anybody help me how I can redirect the value self.user to Month so that instead of None it shows the user name provided in query string Thanks in advance

Attachments:

attachment.htm (text/html — 3.3 KB)

Show replies by date

Duncan McGreggor

23 Jul 23 Jul

12:02 a.m.

On Tue, Jul 22, 2008 at 3:47 PM, arun chhetri wrote:

...

from twisted.web import resource, server from twisted.web import http

class HomePage(resource.Resource): def __init__(self): resource.Resource.__init__(self) self.putChild('calendar',Calendar(user=None,pswd=None,server=None))

def render(self,request): return"""<html><body> <a href = calendar>Here is the solution <body> </html>""" def getChild(self,path,request): return Calendar(request.args["user"],request.args["pswd"],request.args["server"])

class Calendar(resource.Resource): def __init__(self,user,pswd,server): resource.Resource.__init__(self) self.user = user self.pswd = pswd self.server = server self.putChild('month',Month(user))

def render(self,request): return"""<p> The user is %s <a href=/calendar/month> The link to the month is this """%self.user[0]

def getChild(self,path,request): return Month(self.user[0])

class Month(resource.Resource): def __init__(self,user): resource.Resource.__init__(self) self.user = user def render(self,request): return """ %s"""%self.user

if __name__=="__main__": from twisted.internet import reactor root = HomePage() site = server.Site(root) reactor.listenTCP(8000,site) reactor.run()

now if i go to http://localhost:8000/?user=arun&pswd=test&server=test i get this The user is arun The link to the month is this and if I click the link then I get None

Can anybody help me how I can redirect the value self.user to Month so that instead of None it shows the user name provided in query string

Thanks in advance

Hey Arun, The problem is that you're mixing two different patterns: an object store (pre-created hierarchy of parents/children) and dynamically generated children. The latter is the easiest case to talk about, since it's the classic HTTP GET where you pass all the arguments you need for any given request. If that's what you want to do, then your application needs to add query parameters to every link that it renders. The quickest way to do that with your example code and without changing anything would be to change Calendar.render to the following: def render(self,request): return """ <p> The user is %s The link to the month is this """ % ( self.user[0], self.user[0], self.pswd[0], self.server[0]) and remove your HomePage.__init__ method. The first option is what I'd guess you were originally aiming for. This is a very different pattern: you want an object to be created with appropriate data stored on attributes, and you want to be able to refer to those objects and the values of their attributes in the future, not create them on the fly. There are probably some quick hacks that could demonstrate how to do this, but as soon as you tried to do anything remotely real with those hacks, you'd be in trouble. If this is really what you want, then you should spend some time getting to know Axiom. Hope that helps. If not, feel free to ask more questions, d

arun chhetri

3:41 p.m.

Hi Duncan Mcgregor, You have guessed it right, I have posted my problem on wiki,, bye On Tue, Jul 22, 2008 at 7:02 PM, Duncan McGreggor < duncan.mcgreggor@gmail.com> wrote:

...

On Tue, Jul 22, 2008 at 3:47 PM, arun chhetri wrote:

...
from twisted.web import resource, server from twisted.web import http

class HomePage(resource.Resource): def __init__(self): resource.Resource.__init__(self)

self.putChild('calendar',Calendar(user=None,pswd=None,server=None))

...
def render(self,request): return"""<html><body> <a href = calendar>Here is the solution <body> </html>""" def getChild(self,path,request): return

Calendar(request.args["user"],request.args["pswd"],request.args["server"])

...
class Calendar(resource.Resource): def __init__(self,user,pswd,server): resource.Resource.__init__(self) self.user = user self.pswd = pswd self.server = server self.putChild('month',Month(user))

def render(self,request): return"""<p> The user is %s <a href=/calendar/month> The link to the month is this """%self.user[0]

def getChild(self,path,request): return Month(self.user[0])

class Month(resource.Resource): def __init__(self,user): resource.Resource.__init__(self) self.user = user def render(self,request): return """ %s"""%self.user

if __name__=="__main__": from twisted.internet import reactor root = HomePage() site = server.Site(root) reactor.listenTCP(8000,site) reactor.run()

now if i go to http://localhost:8000/?user=arun&pswd=test&server=test i get this The user is arun The link to the month is this and if I click the link then I get None

Can anybody help me how I can redirect the value self.user to Month so

that

...
instead of None it shows the user name provided in query string

Thanks in advance

Hey Arun,

The problem is that you're mixing two different patterns: an object store (pre-created hierarchy of parents/children) and dynamically generated children.

The latter is the easiest case to talk about, since it's the classic HTTP GET where you pass all the arguments you need for any given request. If that's what you want to do, then your application needs to add query parameters to every link that it renders.

The quickest way to do that with your example code and without changing anything would be to change Calendar.render to the following:

def render(self,request): return """ <p> The user is %s The link to the month is this """ % ( self.user[0], self.user[0], self.pswd[0], self.server[0])

and remove your HomePage.__init__ method.

The first option is what I'd guess you were originally aiming for. This is a very different pattern: you want an object to be created with appropriate data stored on attributes, and you want to be able to refer to those objects and the values of their attributes in the future, not create them on the fly. There are probably some quick hacks that could demonstrate how to do this, but as soon as you tried to do anything remotely real with those hacks, you'd be in trouble. If this is really what you want, then you should spend some time getting to know Axiom.

Hope that helps. If not, feel free to ask more questions,

d

_______________________________________________ Twisted-web mailing list Twisted-web@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web

Maarten ter Huurne

3:26 a.m.

On Wednesday 23 July 2008, arun chhetri wrote:

...

class Calendar(resource.Resource): def __init__(self,user,pswd,server): resource.Resource.__init__(self) self.user = user self.pswd = pswd self.server = server self.putChild('month',Month(user))

def render(self,request): return"""<p> The user is %s <a href=/calendar/month> The link to the month is this """%self.user[0]

def getChild(self,path,request): return Month(self.user[0])

The information about the user does not belong in any Resource subclass: a Resource is a page that can be generated for different users, so it should only contain information that is the same for all users. Any user specific data should be fetched via the request object.

...

now if i go to http://localhost:8000/?user=arun&pswd=test&server=test i get this The user is arun The link to the month is thishttp://localhost:8000/calendar/month and if I click the link then I get None

One way to do it is to include the arguments in the URL for the "month" page: '<a href="month?user=%s&pswd=%s">this month</a>' % (user, pswd) Having the password in every URL is neither elegant nor safe. So probably you'll want to create a session to remember a user who has already authenticated. You can get a session object like this: session = request.getSession() You can attach custom data to a session like this: user = User(name) session.setComponent(IUser, user) and fetch it later like this: user = session.getComponent(IUser) The IUser class is a Zope Interface, here is an example: from zope.interface import Interface, implements class IUser(Interface): '''A user account. ''' def getUserName(self): '''Returns the name of the user account. ''' class User(object): implements(IUser) def __init__(self, name): self.__name = name def getUserName(self): return self.__name The User object contains the data you want to keep per user: the user name and maybe more. You don't have to store the password in this data object; instead you should create this object only if the user has successfully authenticated. Bye, Maarten

jibin zou

6:13 a.m.

New subject: newbiew twisted.enterprise.adbapi question

Hi, I am currently trying to use Twisted to develop my Web-based application. And I am trying to use twisted.enterprise.adbapi to handle my database connection and etc. I tried the example provide by the online docs. It work ONLY with print, without return a value for my Mako template. Can someone give a small example that lighten me how to use it? Here is some of my code. -----database.py----------- from twisted.enterprise import adbapi from twisted.internet import defer class DBModule(): connection_pool = adbapi.ConnectionPool("psycopg2", host = "localhost", database = "2juban" ,user = "2juban", password = "2juban" ) table = " " def findById(self, field, id): if field =="all": field = "*" query = """SELECT """+field+""" from """+ self.table +""" where id=""" + str(id) row = self.connection_pool.runQuery(query) return row.addCallback(self.print_data) def print_data(self, data): print data #return data ----hello.rpy------- ... from tpp.module.database import DBModule class hello(Controller): d = DBModule() d.table = 'talk_talk' t1 = d.findById('content',2) ... .. . The problem is when I just print out the value , it works ! I can saw it in my eclipse console. But if I want to get the return of the value, it's nothing rather a Deferred<>. Thanks. _________________________________________________________________ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline

Christopher Armstrong

12:15 p.m.

On Tue, Jul 22, 2008 at 11:26 PM, Maarten ter Huurne wrote:

...

On Wednesday 23 July 2008, arun chhetri wrote:

...
class Calendar(resource.Resource): def __init__(self,user,pswd,server): resource.Resource.__init__(self) self.user = user self.pswd = pswd self.server = server self.putChild('month',Month(user))

def render(self,request): return"""<p> The user is %s <a href=/calendar/month> The link to the month is this """%self.user[0]

def getChild(self,path,request): return Month(self.user[0])

The information about the user does not belong in any Resource subclass: a Resource is a page that can be generated for different users, so it should only contain information that is the same for all users. Any user specific data should be fetched via the request object.

This is totally inaccurate. It's perfectly reasonable to store user-specific data in Resource objects. "a Resource is a page that can be generated for different users" is either irrelevant or not true, I can't tell which. You can dynamically and return Resources based on which user is making the request. Now, I'm not sure my favorite abstraction for a user is a string; I'd probably pass something other than a username to a Resource. Perhaps a rich object representing the user. -- Christopher Armstrong International Man of Twistery http://radix.twistedmatrix.com/ http://twistedmatrix.com/ http://canonical.com/

Phil Mayers

2:13 p.m.

New subject: Resource as Avatar (was Re: newbiew question)

...

...
The information about the user does not belong in any Resource subclass: a Resource is a page that can be generated for different users, so it should only contain information that is the same for all users. Any user specific data should be fetched via the request object.

This is totally inaccurate. It's perfectly reasonable to store user-specific data in Resource objects. "a Resource is a page that can be generated for different users" is either irrelevant or not true, I can't tell which. You can dynamically and return Resources based on which user is making the request.

Now, I'm not sure my favorite abstraction for a user is a string; I'd probably pass something other than a username to a Resource. Perhaps a rich object representing the user.

Since this is a common mis-conception (one I suffered from and have now disabused myself of) it's worth discussing. If my understanding is correct: twisted.cred uses the concept of an "avatar". Avatars (I think...): * are protocol objects * represent the user In twisted.web, the Resource *is* the avatar. In twisted.mail.imap, the Mailbox is the avatar. In twisted.conch, the Shell is the avatar (and so on). I found this initially confusing, because in many web frameworks e.g. Zope, where I came from, the objects representing resources are: * long lived * the same instances serve >1 HTTP request * instantiated at process start time It's also somewhat confusing because unlike other protocols, HTTP requests are very short-lived. It's worth noting you *can* have long-lived multi-instance t.w.Resource objects. In twisted, a common design pattern seems to be (I hope; I adopted it...) * have your realm return a root Resource i.e. one for "/" * attach your User object to that resource * have your root resource dynamically create the leaf resources via locateChild or childFactory, then attach the User object * when you need user info, get at it via e.g. self.user * let the leaf/root objects get GC-ed when the HTTP request is done I believe changes have been committed to twisted.web making this design pattern even more preferred: http://twistedmatrix.com/trac/changeset/23950 Code which, by the way, I very much like the look of. Could someone clarify if this is the "right" way of doing things?

Jean-Paul Calderone

2:58 p.m.

New subject: Resource as Avatar (was Re: newbiew question)

On Wed, 23 Jul 2008 15:13:49 +0100, Phil Mayers wrote:

...

...
...
The information about the user does not belong in any Resource subclass: a Resource is a page that can be generated for different users, so it should only contain information that is the same for all users. Any user specific data should be fetched via the request object.

This is totally inaccurate. It's perfectly reasonable to store user-specific data in Resource objects. "a Resource is a page that can be generated for different users" is either irrelevant or not true, I can't tell which. You can dynamically and return Resources based on which user is making the request.

Now, I'm not sure my favorite abstraction for a user is a string; I'd probably pass something other than a username to a Resource. Perhaps a rich object representing the user.

Since this is a common mis-conception (one I suffered from and have now disabused myself of) it's worth discussing.

If my understanding is correct: twisted.cred uses the concept of an "avatar". Avatars (I think...):

* are protocol objects

In some sense, they are protocol objects - they are used by protocol implementations to authorize user actions. They are not /themselves/ protocol implementations, though - that is, they do not implement IProtocol (at least, not in general) or subclass Protocol. I'm not sure if this is what you meant.

...

* represent the user

Yep, absolutely. :)

...

In twisted.web, the Resource *is* the avatar. In twisted.mail.imap, the Mailbox is the avatar. In twisted.conch, the Shell is the avatar (and so on).

Yep.

...

I found this initially confusing, because in many web frameworks e.g. Zope, where I came from, the objects representing resources are:

* long lived * the same instances serve >1 HTTP request * instantiated at process start time

It's also somewhat confusing because unlike other protocols, HTTP requests are very short-lived. It's worth noting you *can* have long-lived multi- instance t.w.Resource objects.

In twisted, a common design pattern seems to be (I hope; I adopted it...)

* have your realm return a root Resource i.e. one for "/"

Yep, although note that it doesn't _have_ to be "/". You can have the authenticated/authorized part of your resource hierarchy start wherever you like. If it starts at "/", then every resource on the server is "guarded".

...

* attach your User object to that resource * have your root resource dynamically create the leaf resources via locateChild or childFactory, then attach the User object * when you need user info, get at it via e.g. self.user * let the leaf/root objects get GC-ed when the HTTP request is done

Yep.

...

I believe changes have been committed to twisted.web making this design pattern even more preferred:

http://twistedmatrix.com/trac/changeset/23950

Code which, by the way, I very much like the look of.

Could someone clarify if this is the "right" way of doing things?

Sounds like you're basically on target. One area that you didn't talk much about is what the role of the user object is. It's possible to just examine the user object and then, in your custom Resource, decide what to do based on that examination. A more powerful approach is to actually delegate those decisions to the user object (and this is why twisted.web.guard makes the user object a Resource). This removes all checking from your code and just makes the right code for each user execute automatically. Explicit checking is tedious and error prone. Delegating all authorization decisions to the avatar simplifies the code and makes it less likely that you'll introduce a security issue. Jean-Paul

arun chhetri

3:33 p.m.

New subject: Resource as Avatar (was Re: newbiew question)

hi, thanks for your suggestion Phil. You have pointed out the main objective of my problem and that is,, I have created a desktop CALDAV client application. The Client connect to the Caldav server and fetches an object called account (and it cannot be pickled) which has session information, nonce, authentication information etc. Now my task is to port the Desktop code to web so that everybody can user it. But there is some problem. This account object should be created once per user session for example, ones user passes the user name, password, server address, then this account should be created and using this account any transaction with the CALDAV server should be done. Now I have made the Design something like this MainClass(User Login) | | | V Calendar Class (The Root of My application, here the account object should be created and passed to the controller class) | | | V Controller Class(This Class Should have account object that it gets from the Calendar Class and | should manage what kind of views user want) | | ____________V___________________ | | | | | | | | | V V V Month(View) Week(View) Day(View) I am new to web development, I am thinking of using the core application of CALDAV client to integrate with this kind of web view. I have tested mod_python and that did not worked for me. So, can twisted.web be used in this case, and if yes can you please give me some pointers how to do that. Thanks in advance On Wed, Jul 23, 2008 at 9:13 AM, Phil Mayers wrote:

...

The information about the user does not belong in any Resource subclass: a

...
...
Resource is a page that can be generated for different users, so it should only contain information that is the same for all users. Any user specific data should be fetched via the request object.

This is totally inaccurate. It's perfectly reasonable to store user-specific data in Resource objects. "a Resource is a page that can be generated for different users" is either irrelevant or not true, I can't tell which. You can dynamically and return Resources based on which user is making the request.

Now, I'm not sure my favorite abstraction for a user is a string; I'd probably pass something other than a username to a Resource. Perhaps a rich object representing the user.

Since this is a common mis-conception (one I suffered from and have now disabused myself of) it's worth discussing.

If my understanding is correct: twisted.cred uses the concept of an "avatar". Avatars (I think...):

* are protocol objects * represent the user

In twisted.web, the Resource *is* the avatar. In twisted.mail.imap, the Mailbox is the avatar. In twisted.conch, the Shell is the avatar (and so on).

I found this initially confusing, because in many web frameworks e.g. Zope, where I came from, the objects representing resources are:

* long lived * the same instances serve >1 HTTP request * instantiated at process start time

It's also somewhat confusing because unlike other protocols, HTTP requests are very short-lived. It's worth noting you *can* have long-lived multi-instance t.w.Resource objects.

In twisted, a common design pattern seems to be (I hope; I adopted it...)

* have your realm return a root Resource i.e. one for "/" * attach your User object to that resource * have your root resource dynamically create the leaf resources via locateChild or childFactory, then attach the User object * when you need user info, get at it via e.g. self.user * let the leaf/root objects get GC-ed when the HTTP request is done

I believe changes have been committed to twisted.web making this design pattern even more preferred:

http://twistedmatrix.com/trac/changeset/23950

Code which, by the way, I very much like the look of.

Could someone clarify if this is the "right" way of doing things?

_______________________________________________ Twisted-web mailing list Twisted-web@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web

Maarten ter Huurne

7:30 p.m.

On Wednesday 23 July 2008, Christopher Armstrong wrote:

...

On Tue, Jul 22, 2008 at 11:26 PM, Maarten ter Huurne wrote:

...
The information about the user does not belong in any Resource subclass: a Resource is a page that can be generated for different users, so it should only contain information that is the same for all users. Any user specific data should be fetched via the request object.

This is totally inaccurate. It's perfectly reasonable to store user-specific data in Resource objects. "a Resource is a page that can be generated for different users" is either irrelevant or not true, I can't tell which. You can dynamically and return Resources based on which user is making the request.

Ah, I never realized it could be used like that. I thought "resource" was intended to be used as "something reachable by URL", with a 1:1 mapping of URL path to Resource instance. Sorry for spreading misinformation. It is still not entirely clear to me what an avatar is though and how it relates to resources and authorization. When accessing a file system, would the "traditional" authorization approach be to have permission bits on every file indicating whether that file can be read or written by a certain users, while the "avatar" approach would be to give the user a chroot environment with only files under it that that user should have access to? On Wednesday 23 July 2008, Phil Mayers wrote:

...

Since this is a common mis-conception (one I suffered from and have now disabused myself of) it's worth discussing.

If my understanding is correct: twisted.cred uses the concept of an "avatar". Avatars (I think...):

* are protocol objects * represent the user

In twisted.web, the Resource *is* the avatar. In twisted.mail.imap, the Mailbox is the avatar. In twisted.conch, the Shell is the avatar (and so on).

In what way does the avatar represent the user? Is it like a Mars lander representing the control team on Earth?

...

I found this initially confusing, because in many web frameworks e.g. Zope, where I came from, the objects representing resources are:

* long lived * the same instances serve >1 HTTP request * instantiated at process start time

That is the approach I was familiar with from Java servlets and from Webware. Since this approach can be mapped onto twisted.web easily I never realized it was designed for a different approach. On Wednesday 23 July 2008, Jean-Paul Calderone wrote:

...

Sounds like you're basically on target. One area that you didn't talk much about is what the role of the user object is. It's possible to just examine the user object and then, in your custom Resource, decide what to do based on that examination. A more powerful approach is to actually delegate those decisions to the user object (and this is why twisted.web.guard makes the user object a Resource). This removes all checking from your code and just makes the right code for each user execute automatically. Explicit checking is tedious and error prone. Delegating all authorization decisions to the avatar simplifies the code and makes it less likely that you'll introduce a security issue.

Does this mean the top-level Resource node is the user object, so in fact there is a user-specific Resource tree? Bye, Maarten

arun chhetri

10:40 p.m.

hi friends, as per the previous question I think I have found my answer,, the structure of my program is something like this from twisted.web import resource, static, server import sys sys.path.append("/Library/WebServer/Documents/VCalendar/bin/Client2") import Calendar account = None account = [] class HomePage(resource.Resource): def render(self,request): return""" <html> <body> <form action=/optional method="post"> User Name <input type="text" name="username"><br/> Pass Word <input type="password" name="pswd"><br/> ServerAdd <input type="text" name="server"><br/> <input type="submit" Value="Submit"><br/> </form> </body> </html>""" class Optional(resource.Resource): def __init__(self): resource.Resource.__init__(self) def render(self,request): self.user = request.args["username"] self.pswd = request.args["pswd"] self.server = request.args["server"] return "<a href = /optional/Calendar> Click this link" def getChild(self,path,request): return MainCalendar(self.user[0],self.pswd[0],self.server[0]) class MainCalendar(resource.Resource): def __init__(self,user,pswd,server): resource.Resource.__init__(self) if user != None: if pswd != None: if server != None: self.user = user self.pswd = pswd self.server = server self.CalendarObject = Calendar.CalendarObject(self.user,self.pswd,self.server) self.putChild('month',month(self.CalendarObject)) self.putChild('week',week(self.CalendarObject)) self.putChild('day',day(self.CalendarObject)) def render(self,request): return """ <p><a href = /optional/calendar/month> Month View</br> <p><a href = /optional/calendar/week> Month View</br> <p><a href = /optional/calendar/day> Day View""" def getChild(self,path,request): if path == "/optional/calendar/month": return Month(self.CalendarObject) elif path == "/optional/calendar/week": return week(self.CalendarObject) elif path == "/optional/calendar/day": return day(self.CalendarObject) class month(resource.Resource): def __init__(self,CalendarObject): self.CalendarObject = CalendarObject def render(self,request): return "Month for %s is good "%self.CalendarObject.account.session.user class week(resource.Resource): def __init__(self,CalendarObject): self.CalendarObject = CalendarObject def render(self,request): return "Week for %s is good"%self.CalendarObject.account.session.user class day(resource.Resource): def __init__(self,CalendarObject): self.CalendarObject = CalendarObject def render(self,request): return "Day for %s is good"%self.CalendarObject.account.session.user if __name__ == "__main__": from twisted.internet import reactor root = resource.Resource() root.putChild('',HomePage()) root.putChild('optional',Optional()) site = server.Site(root) reactor.listenTCP(8000,site) reactor.run() Is there any fault in the structure of my code, or any error which i cannot see. There is one more question,, how can I bind this to my website for ex www.xyz.com:10 cheers Thanks to all On Wed, Jul 23, 2008 at 2:30 PM, Maarten ter Huurne wrote:

...

On Wednesday 23 July 2008, Christopher Armstrong wrote:

...
On Tue, Jul 22, 2008 at 11:26 PM, Maarten ter Huurne wrote:

...
The information about the user does not belong in any Resource subclass: a Resource is a page that can be generated for different users, so it should only contain information that is the same for all users. Any user specific data should be fetched via the request object.

This is totally inaccurate. It's perfectly reasonable to store user-specific data in Resource objects. "a Resource is a page that can be generated for different users" is either irrelevant or not true, I can't tell which. You can dynamically and return Resources based on which user is making the request.

Ah, I never realized it could be used like that. I thought "resource" was intended to be used as "something reachable by URL", with a 1:1 mapping of URL path to Resource instance. Sorry for spreading misinformation.

It is still not entirely clear to me what an avatar is though and how it relates to resources and authorization.

When accessing a file system, would the "traditional" authorization approach be to have permission bits on every file indicating whether that file can be read or written by a certain users, while the "avatar" approach would be to give the user a chroot environment with only files under it that that user should have access to?

On Wednesday 23 July 2008, Phil Mayers wrote:

...
Since this is a common mis-conception (one I suffered from and have now disabused myself of) it's worth discussing.

If my understanding is correct: twisted.cred uses the concept of an "avatar". Avatars (I think...):

* are protocol objects * represent the user

In twisted.web, the Resource *is* the avatar. In twisted.mail.imap, the Mailbox is the avatar. In twisted.conch, the Shell is the avatar (and so on).

In what way does the avatar represent the user? Is it like a Mars lander representing the control team on Earth?

...
I found this initially confusing, because in many web frameworks e.g. Zope, where I came from, the objects representing resources are:

* long lived * the same instances serve >1 HTTP request * instantiated at process start time

That is the approach I was familiar with from Java servlets and from Webware. Since this approach can be mapped onto twisted.web easily I never realized it was designed for a different approach.

On Wednesday 23 July 2008, Jean-Paul Calderone wrote:

...
Sounds like you're basically on target. One area that you didn't talk much about is what the role of the user object is. It's possible to just examine the user object and then, in your custom Resource, decide what to do based on that examination. A more powerful approach is to actually delegate those decisions to the user object (and this is why twisted.web.guard makes the user object a Resource). This removes all checking from your code and just makes the right code for each user execute automatically. Explicit checking is tedious and error prone. Delegating all authorization decisions to the avatar simplifies the code and makes it less likely that you'll introduce a security issue.

Does this mean the top-level Resource node is the user object, so in fact there is a user-specific Resource tree?

Bye, Maarten

_______________________________________________ Twisted-web mailing list Twisted-web@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web

5749

Age (days ago)

5750

Last active (days ago)

List overview

Download

10 comments

7 participants

participants (7)

arun chhetri
Christopher Armstrong
Duncan McGreggor
Jean-Paul Calderone
jibin zou
Maarten ter Huurne
Phil Mayers

newbiew question

jibin zou

Christopher Armstrong

Phil Mayers

tags

participants (7)