Open djay opened 5 years ago
It's would also be convenient for security. To make code thats async with taskqueue that can't be run by the user directly takes extra work at the moment to pass secrets or set alternative auth headers
Task queue uses its own request class with ITaskQueueLayer and any view registered for that is only visible for task queue server requests and can never be accessed with browser. (Unless that layer is manually registered as a Plone browser layer.)
I explained myself badly. I meant setowner mode. Ie where you want the user to be able to execute code as another user.
On Sat, 22 Jun 2019, 20:30 Asko Soukka, notifications@github.com wrote:
It's would also be convenient for security. To make code thats async with taskqueue that can't be run by the user directly takes extra work at the moment to pass secrets or set alternative auth headers
Task queue uses its own request class with ITaskQueueLayer and any view registered for that is only visible for task queue server requests and can never be accessed with browser. (Unless that layer is manually registered as a Plone browser layer.)
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/collective/collective.taskqueue/issues/23?email_source=notifications&email_token=AAAKFZARJ74OFOEF6HMSZADP3YSQDA5CNFSM4HBKBGBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYKJP5Y#issuecomment-504666103, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAKFZCO4XKT7DH654EN4RTP3YSQDANCNFSM4HBKBGBA .
I still don’t fully understand. View is the simplest possible way to give the task an execution context. Even code outside a view would require some context to make sense. Could you implement a view that takes restricted Python as a (POST) payload and executes that?
I recall that the PAS plugin was supposed to make it possible to execute code as another user easily... unless it forces the current user. That I don’t fully recall.
Would you consider the possibility for optional support which takes a callable and queues executing this? I'm guessing this would require storage in the ZODB (another mount or the same one) of the code temporarily during queuing. Or else it could be done by pickling the code into redis perhaps with some signature for safety? The usecase is that it makes for much nicer code rather than splitting your code into seperate views for everything you want to run async. It's would also be convenient for security. To make code thats async with taskqueue that can't be run by the user directly takes extra work at the moment to pass secrets or set alternative auth headers