Closed
Description
I've seen many extension forgetting to put @web.authenticated on handlers;
I'm tempted to think that AuthenticatedFileHandler should use init_subclass – or whatever, peak at SUPPORTED_METHODS, and autowrap any handler in @web.authenticated unless the handler is marked with a specific @public decorator.
it's likely something like
def __init_subclass__(cls):
for verb in cls.SUPPORTED_METHODS:
meth = getattr(cls, verb, None):
if meth and not getattr(meth, '_public', None):
setattr(cls, verb, web.authenticated(meth))
Hard part is likely deprecation and detecting methods that are already in @web.authenticated, though that should be not too hard as it set the __wrapped__ attribute and wrapping twice with @web.authenticated should be no op.
I think from a security standpoint its a strict gain and likely a net decrease in code size as well (I can find just on this repo at least 44 mention of @web.authenticated.)