writable Actions on a Field define who can read or write its data.
Any Input associated with that Field is automatically disabled or omited based on these rules. Reuse the Field
on many different Forms and Inputs without having to think about security again.
Editing the HTML in your browser cannot thwart these restrictions because they are checked server-side too.
Buttons attached to
@secured methods are similarly managed.
All this means: more re-use, less scope for human error, less repetitive code for you to write.
class Comment(object): def allowed_to_see(self): # this is hard-coded, but you can check business rules here return True def allowed_to_write(self): # this is hard-coded, but you can check business rules here return False @exposed def fields(self, fields): fields.greyed_out_field = Field(label='Some data', default='a value you\'re allowed to see, but not edit, so it is greyed out', readable=Action(self.allowed_to_see), writable=Action(self.allowed_to_write)) @exposed def events(self, events): events.greyed_out_event = Event(label='Greyed out button', action=Action(self.do_something)) @secured(read_check=allowed_to_see, write_check=allowed_to_write) def do_something(self): pass class CommentForm(Form): def __init__(self, view): super(CommentForm, self).__init__(view, 'myform') comment = Comment() self.use_layout(FormLayout()) self.layout.add_input(TextInput(self, comment.fields.greyed_out_field)) self.define_event_handler(comment.events.greyed_out_event) self.add_child(Button(self, comment.events.greyed_out_event))