advice about `correct' use of decorator

Gerardo Herzig gherzig at fmed.uba.ar
Fri Aug 17 18:14:13 CEST 2007


Laszlo Nagy wrote:

>
>>>
>>> Are you developing a website or a GUI program?
>>>
>>>
>> It will be used in a web development. It is an important point?
>
> Yes, I think. Unless you use AJAX. :-) Most web sites work this way:
>
> user clicks -> request to server -> process on server -> response
>
> I would rather enclose the whole handler in try/except and raise a 
> custom PermissionDenied exception when the user has inscuficient 
> permissions. There are problems with a decorator used for 
> authorization. The context needs to be determined. E.g. which user is 
> accessing the method? (It can be hard to tell if the method is part of 
> a thread object that lies in a thread pool and is shared between 
> simultaneous clients...) Also it might be that the method's purpose is 
> to change objects of the same class, and the user has permission to 
> modify one object but not the other. In this case, authorization must 
> be done inside the function call... How do you express this with a 
> decorator?
>
> These are just ideas. You should analyze your problem and make your 
> decision. If you only want to restrict access to functions, then 
> probably using decorators is perfect.
>
> Best,
>
>   Laszlo
>
>
I post the change_pass() function as an example, there is a buch of 
other functions (the whole site actually) that will require a logged 
user.  May the change_pass() function have additional control, shure, 
but it will be not part of the `global' requirement.

Thank you very much for your time, Laszlo
Gerardo




More information about the Python-list mailing list