thread.local usernames & business logic support
|Reported by:||anonymous||Owned by:||adrian|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
In Java webapps it's very convenient to set the user object to a thread local variable. This is for situations where the authorisation rules apply at the data level, not the page/url level. The advantages of this approach in Java MVC applications are:
- Web layer Controller code making calls to business logic / Service layer methods doesn't need to pass user objects around all the time.
- Business logic code doesn't need to know anything about HttpRequests, providing clearer separation of concerns and easier testing.
I think Django is truly excellent, am I trying to convince my team to ditch acres of Java/Spring xml config files in favour of it. However, I see very little emphasis in the documentation or the application design on business logic / business rules (rules like "can a user from this organisation modify this data at this time under these conditions"). View methods deal with Http and with naming templates. That doesn't seem an appropriate place. Also, there is no dedicated section in the documentation to writing Views, which seems to imply they are meant to be pretty lightweight. Models fire off data access functions in a brilliantly automagical style, and it seems terrible to override all those methods. The best place I can find is the Middleware method:
interface: process_view(self, request, view_func, view_args, view_kwargs)
However, this would lead to complexity or bloat - either running millions of rules for every request, or doing something complex like keying business rules of the view function.
So this is a feature suggestion for two things. Firstly, support for setting users as a thread.local variable. Secondly, clarifying where the business logic which needs this functionality should go.