Permissions are now checked as routing moves between controllers

.pecan metadata renamed to ._pecan
author: Mark McClain <mark.mcclain@shootq.com> 2011-01-14 21:40:23 -0500
committer: Mark McClain <mark.mcclain@shootq.com> 2011-01-14 21:40:23 -0500
commit: 6c053856f3c81bbbf4e39d800b73f234c2dc911f (patch)
tree: c899202a888598957d6b99858b52ebb4847d91c8 /pecan/routing.py
parent: ed5c644779c1ed956f8bf3e663c285b54cf9368e (diff)
download: pecan-6c053856f3c81bbbf4e39d800b73f234c2dc911f.tar.gz
1 files changed, 34 insertions, 2 deletions
diff --git a/pecan/routing.py b/pecan/routing.py
index e9ca5f0..ab388a7 100644
--- a/pecan/routing.py
+++ b/pecan/routing.py
@@ -1,12 +1,37 @@
 from webob import exc
+from inspect import ismethod, isfunction
 
+STOP_NOW = False
+
+__all__ = ['lookup_controller', 'find_object']
+
+def handle_security(controller):
+    if controller._pecan.get('secured', False):
+        if not controller._pecan['check_permissions']():
+            raise exc.HTTPUnauthorized
+
+def cross_boundary(prev_obj, obj):
+    """
+    check the security as we move across a boundary
+    """
+    if prev_obj is None:
+        return 
+
+    meta = getattr(prev_obj, '_pecan', {})
+
+    if meta.get('secured', False):
+        if obj not in meta.get('unlocked', []):
+            if not meta['check_permissions']():
+                raise exc.HTTPUnauthorized
 
 def lookup_controller(obj, url_path):
     remainder = url_path
     notfound_handlers = []
+
     while True:
         try:
             obj, remainder = find_object(obj, remainder, notfound_handlers)
+            handle_security(obj)
             return obj, remainder
         except exc.HTTPNotFound:
             while notfound_handlers:
@@ -21,7 +46,10 @@ def lookup_controller(obj, url_path):
                     try:
                         result = obj(*remainder)
                         if result:
+                            prev_obj = obj
                             obj, remainder = result
+                            # crossing controller boundary
+                            cross_boundary(prev_obj, obj)
                             break
                     except TypeError, te:
                         print 'Got exception calling lookup(): %s (%s)' % (te, te.args)
@@ -30,9 +58,13 @@ def lookup_controller(obj, url_path):
 
 
 def find_object(obj, remainder, notfound_handlers):
+    prev_obj = None
     while True:
         if obj is None: raise exc.HTTPNotFound
         if iscontroller(obj): return obj, remainder
+
+        # are we traversing to another controller
+        cross_boundary(prev_obj, obj)
         
         if remainder and remainder[0] == '':
             index = getattr(obj, 'index', None)
@@ -57,8 +89,8 @@ def find_object(obj, remainder, notfound_handlers):
         
         if not remainder: raise exc.HTTPNotFound
         next, remainder = remainder[0], remainder[1:]
+        prev_obj = obj
         obj = getattr(obj, next, None)
 
-
 def iscontroller(obj):
-    return getattr(obj, 'exposed', False)
-\ No newline at end of file
+    return getattr(obj, 'exposed', False)
author	Mark McClain <mark.mcclain@shootq.com>	2011-01-14 21:40:23 -0500
committer	Mark McClain <mark.mcclain@shootq.com>	2011-01-14 21:40:23 -0500
commit	6c053856f3c81bbbf4e39d800b73f234c2dc911f (patch)
tree	c899202a888598957d6b99858b52ebb4847d91c8 /pecan/routing.py
parent	ed5c644779c1ed956f8bf3e663c285b54cf9368e (diff)
download	pecan-6c053856f3c81bbbf4e39d800b73f234c2dc911f.tar.gz