Access control

The readable and writable Actions on a Field define who can read or write its data. Any Input associated with that Field is automatically disabled or omited based on these rules. Reuse the Field on many different Forms and Inputs without having to think about security again.

Editing the HTML in your browser cannot thwart these restrictions because they are checked server-side too.

Buttons attached to @secured methods are similarly managed.

All this means: more re-use, less scope for human error, less repetitive code for you to write.


class Comment(object):
    def allowed_to_see(self):
        # this is hard-coded, but you can check business rules here
        return True 

    def allowed_to_write(self):
        # this is hard-coded, but you can check business rules here
        return False

    @exposed
    def fields(self, fields):
        fields.greyed_out_field = Field(label='Some data',
                                        default='a value you\'re allowed to see, but not edit, so it is greyed out',
                                        readable=Action(self.allowed_to_see),
                                        writable=Action(self.allowed_to_write))

    @exposed
    def events(self, events):
        events.greyed_out_event = Event(label='Greyed out button', 
                                        action=Action(self.do_something))

    @secured(read_check=allowed_to_see, write_check=allowed_to_write)
    def do_something(self):
        pass

class CommentForm(Form):
    def __init__(self, view):
        super(CommentForm, self).__init__(view, 'myform')
        comment = Comment()

        self.use_layout(FormLayout())

        self.layout.add_input(TextInput(self, comment.fields.greyed_out_field))

        self.define_event_handler(comment.events.greyed_out_event)
        self.add_child(Button(self, comment.events.greyed_out_event))