search

shinken-monitoring / mod-webui

Shinken Web User Interface
GNU Affero General Public License v3.0
79 stars 71 forks source link

Auth for custom views/ Deprecation of API functions #359

Closed Simage closed 8 years ago

Simage commented 9 years ago

I have several custom custom views that start with a preamble something like

   # First we look for the user sid
    # so we bail out if it's a false one
    user = app.get_user_auth()

    if not user:
        app.bottle.redirect("/user/login")

The get_user_auth function appears to have been removed, however I don't seem to be able to find a replacement for it. It appears that there may be a 'before_request' hook that may replace the above code fragment, but I'm not familiar enough with Bottle to be 100% certain

my preferred suggestion, particularly as far as 'API' functions such as this, would be that both methods exist, with the old deprecated one warning the user/developer in the log, rather than arbitrary removal of API functions.

mohierf commented 9 years ago

@Simage : I agree with your request. What do you think of it @maethor ? We should easily add this function in the new datamanager ?

maethor commented 9 years ago

It should be easy, but I don't agree with you on this argument. Shinken WebUI code was a mess so we had to remove functions and to cleanup everything.

WebUI2 is a new major version, we broke retrocompatibility for users and for developers. We could even say that it's a hole new software that should not be compare to WebUI v1. I promise we will not do it anymore, but for the first big cleanup it was really easier for us to do it.

With that said, on this specific case of app.get_user_auth(), I have to agree that it is a lot more clean than user = app.request.environ['USER']. So we should really reintroduce this function, and use it everywhere. I will do it today.

But it may be the only case where this is true. We have removed many functions and I don't intent to reintroduce all of them. This will sound a little cold, but I believe you may be the only two persons in the world who developed custom views, and that you are both very able to dig in the old webui code to bring back the functions you need. If I'm wrong, don't hesitate to open issues on Github if you want to know how to replace an old function you where using.

mohierf commented 9 years ago

@maethor : I do understand and agree with you ... my previous comment did not intended to reintroduce retro compatibility for all the broken old features! But simply considering the specific case of this function and the associated feature ... as you say it seems the only case where we should reintroduce it.

Note: I made some more tests this week with a brand new application based upon Bottle and the only clean way to validate user authorization is to use a function call as the very first instruction in a route function :/P