Michelle Levesque built a Quixote app as part of the PyWebOff comparison of Python Web frameworks. One of her last complaints caught my eye. Essentially she couldn't figure out how to do access control the way she wanted.
The two complaints were that
- (a) an AccessError exception (e.g. as raised by _q_access) couldn't easily be used to redirect/return a login page, and
- (b) every page has to
check permissions explicitly.
Since _q_access is called before every page, it's the right way to check permissions at the namespace level. The two problems can thus be solved in tandem.
First of all, organize the application so that the restricted areas are in a different namespace, e.g.
/ -- contains /login, welcome page, etc. /restricted/ -- contains restricted pages
Then write a _q_access function in the 'restricted' module that raises a specific exception -- either a subclass of AccessError, or not, doesn't matter. In an application-specific publisher class, catch & handle this exception:
class MyPublisher(SessionPublisher):
...
def try_publish(self, request, path):
try:
return SessionPublisher.try_publish(self, request, path)
except NotLoggedIn, e:
return "you should log in"
In place of the "you should log in", you can return a redirect (which is what I would recommend) or else print out a page with the appropriate login form.
I admit this is neither the most intuitive nor the most obvious solution in the world if you're not familiar with Quixote, but it makes sense to me ;).
One thing that Michelle may have missed (and maybe it needs to be highlighted in the Quixote documentation or something) is that Quixote is all about namespaces. Organize things hierarchically -- either by object or by module -- and your Quixote apps will flow.
That is all.
--titus