# HG changeset patch
# User Filip de Waard <fmw@vix.io>
# Date 1293668968 -3600
# Node ID 8c838712b684d22c87a0606981ccb09afccc737e
# Parent  96e4504b9cc1c16b4d01cbf2b794d9f7fff33bc4
refactored authorization

diff -r 96e4504b9cc1c16b4d01cbf2b794d9f7fff33bc4 -r 8c838712b684d22c87a0606981ccb09afccc737e vix/config/routing.py
--- a/vix/config/routing.py	Wed Dec 29 20:37:34 2010 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,30 +0,0 @@
-"""Routes configuration
-
-The more specific and detailed routes should be defined first so they
-may take precedent over the more generic routes. For more information
-refer to the routes manual at http://routes.groovie.org/docs/
-"""
-from routes import Mapper
-
-def make_map(config):
-    """Create, configure and return the routes Mapper"""
-    map = Mapper(directory=config['pylons.paths']['controllers'],
-                 always_scan=config['debug'])
-    map.minimization = False
-
-    # The ErrorController route (handles 404/500 error pages); it should
-    # likely stay at the top, ensuring it can always be resolved
-    map.connect('/error/{action}', controller='error')
-    map.connect('/error/{action}/{id}', controller='error')
-
-    # Routes for 'feed' controller
-    map.connect('create_feed', '/feeds', controller='feeds', 
-        action='create', conditions=dict(method='POST'))
-
-    map.connect('list_feeds', '/feeds', controller='feeds', 
-        action='list', conditions=dict(method='GET'))
-
-    # Routes for 'api' controller
-    map.connect('/api/:(action)', controller='api')
-
-    return map
diff -r 96e4504b9cc1c16b4d01cbf2b794d9f7fff33bc4 -r 8c838712b684d22c87a0606981ccb09afccc737e vix/controllers/feeds.py
--- a/vix/controllers/feeds.py	Wed Dec 29 20:37:34 2010 +0100
+++ b/vix/controllers/feeds.py	Thu Dec 30 01:29:28 2010 +0100
@@ -27,7 +27,8 @@
 from pylons.decorators.rest import restrict
 
 from vix.lib.base import BaseController
-from vix.lib.decorators import authenticate, authorize
+from vix.lib.decorators import authenticate
+from vix.lib.auth import authorize, parse_http_authorization_header
 
 import vix.model as model
 
@@ -37,7 +38,6 @@
 
     @restrict('POST')
     @authenticate()
-    @authorize(config['couchdb_database'], '*', 'POST')
     def create(self):
         """
         Creates a Feed resource.
@@ -68,6 +68,10 @@
 
         """
         
+        user = config['pylons.app_globals'].user
+        if not authorize(user, config['couchdb_database'], '*', 'POST'):
+            abort(403, 'Insufficient privileges to perform action.')
+   
         #TODO: add application/atom+xml support
         if 'application/json' in request.headers.get('Content-type'):
             try:
diff -r 96e4504b9cc1c16b4d01cbf2b794d9f7fff33bc4 -r 8c838712b684d22c87a0606981ccb09afccc737e vix/lib/decorators.py
--- a/vix/lib/decorators.py	Wed Dec 29 20:37:34 2010 +0100
+++ b/vix/lib/decorators.py	Thu Dec 30 01:29:28 2010 +0100
@@ -26,10 +26,7 @@
 from pylons import request, config
 
 import vix.lib.auth as auth
-
-#REFACTOR: could refactor authorization decorator to include 
-#authentication as well to avoid adding too much clutter with
-#different decorator calls. Will consider later.
+import vix.model as model
 
 def authenticate():
     """Decorator that adds HTTP Base Authentication to a controller method.
@@ -53,55 +50,16 @@
     
     def wrapper(func, self, *args, **kwargs):
         try:
-            username, password = auth.parse_http_authorization_header(
+            name, pw = auth.parse_http_authorization_header(
                 request.headers.get('Authorization'))
         except ValueError:
             abort(401, 'Correct HTTP Base authentication header required.')
+        
+        config['pylons.app_globals'].user = model.User.load(model.db, name)
 
-        if not auth.authenticate(username, password):
+        if not auth.authenticate(config['pylons.app_globals'].user, pw):
             abort(401, 'Invalid login.')
 
         return func(self, *args, **kwargs)
 
     return decorator(wrapper)
-
-def authorize(database, feed, action):
-    """Decorator that adds authorization to a controller method.
-
-    Calls abort(403) if an error occurs.
-
-    :param database: Database name,
-    :param feed: Name of the feed to authorize for (or '*' for a global
-        admin check).
-    :param action: HTTP method to authorize for (e.g. 'GET', 'POST').
-
-    Example:
-
-    .. code-block:: python
-
-        from vix.lib.base import BaseController
-        from vix.lib.decorators import authenticate, authorize
-        
-        class SomeController(BaseController):
-            
-            @authenticate()
-            @authorize('vix_db', 'blog', 'POST')
-            def protected_method(self):
-                pass #do something that requires authorization
-
-    """
-    
-    def wrapper(func, self, *args, **kwargs):
-        try:
-            username = auth.parse_http_authorization_header(
-                request.headers.get('Authorization'))[0]
-        except ValueError:
-            abort(401, 'Correct HTTP Base authentication header required.')
-
-        if not auth.authorize(username, database, feed, action):
-            abort(403, 'Insufficient privileges to perform action.')
-
-        return func(self, *args, **kwargs)
-
-    return decorator(wrapper)
-