| | |
|---|
| | | - If the userid *does not* exist in the system, it will |
|---|
| | | return ``None``. |
|---|
| | | |
|---|
| | | For example, ``groupfinder('editor', request )`` returns ['group:editor'], |
|---|
| | | ``groupfinder('viewer', request)`` returns [], and ``groupfinder('admin', request)`` |
|---|
| | | For example, ``groupfinder('editor', request )`` returns ``['group:editor']``, |
|---|
| | | ``groupfinder('viewer', request)`` returns ``[]``, and ``groupfinder('admin', request)`` |
|---|
| | | returns ``None``. We will use ``groupfinder()`` as an :term:`authentication policy` |
|---|
| | | "callback" that will provide the :term:`principal` or principals |
|---|
| | | for a user. |
|---|
| | |
|---|
| | | :language: python |
|---|
| | | |
|---|
| | | We import :data:`~pyramid.security.Allow`, an action that |
|---|
| | | means that permission is allowed:, and |
|---|
| | | means that permission is allowed, and |
|---|
| | | :data:`~pyramid.security.Everyone`, a special :term:`principal` |
|---|
| | | that is associated to all requests. Both are used in the |
|---|
| | | :term:`ACE` entries that make up the ACL. |
|---|
| | |
|---|
| | | The ACL is a list that needs to be named `__acl__` and be an |
|---|
| | | attribute of a class. We define an :term:`ACL` with two |
|---|
| | | :term:`ACE` entries: the first entry allows any user the `view` |
|---|
| | | permission. The second entry allows the ``group:editors`` |
|---|
| | | principal the `edit` permission. |
|---|
| | | permission, and the second entry allows the ``group:editors`` |
|---|
| | | principal the `edit` permission. |
|---|
| | | |
|---|
| | | The ``Wiki`` class that contains the ACL is the :term:`resource` |
|---|
| | | constructor for the :term:`root` resource, which is |
|---|
| | |
|---|
| | | |
|---|
| | | It's only happenstance that we're assigning this ACL at class scope. An ACL |
|---|
| | | can be attached to an object *instance* too; this is how "row level security" |
|---|
| | | can be achieved in :app:`Pyramid` applications. We actually only need *one* |
|---|
| | | can be achieved in :app:`Pyramid` applications. We actually need only *one* |
|---|
| | | ACL for the entire system, however, because our security requirements are |
|---|
| | | simple, so this feature is not demonstrated. See |
|---|
| | | :ref:`assigning_acls` for more information about what an |
|---|
| | |
|---|
| | | |
|---|
| | | Add permission declarations |
|---|
| | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| | | |
|---|
| | | Add a ``permission='edit'`` parameter to the ``@view_config`` |
|---|
| | | decorator for ``add_page()`` and ``edit_page()``, for example: |
|---|
| | | Open ``tutorial/tutorial/views.py``. Add a ``permission='edit'`` parameter |
|---|
| | | to the ``@view_config`` decorator for ``add_page()`` and |
|---|
| | | ``edit_page()``, for example: |
|---|
| | | |
|---|
| | | .. code-block:: python |
|---|
| | | :linenos: |
|---|
| | | :emphasize-lines: 2 |
|---|
| | | :emphasize-lines: 3 |
|---|
| | | |
|---|
| | | @view_config(route_name='add_page', renderer='templates/edit.pt', |
|---|
| | | permission='edit') |
|---|
| | | @view_config(name='add_page', context='.models.Wiki', |
|---|
| | | renderer='templates/edit.pt', |
|---|
| | | permission='edit') |
|---|
| | | |
|---|
| | | (Only the highlighted line needs to be added.) |
|---|
| | | (Only the highlighted line, along with its preceding comma, |
|---|
| | | needs to be added.) |
|---|
| | | |
|---|
| | | The result is that only users who possess the ``edit`` |
|---|
| | | permission at the time of the request may invoke those two views. |
|---|
| | |
|---|
| | | :linenos: |
|---|
| | | :emphasize-lines: 2 |
|---|
| | | |
|---|
| | | @view_config(route_name='view_page', renderer='templates/view.pt', |
|---|
| | | @view_config(context='.models.Page', renderer='templates/view.pt', |
|---|
| | | permission='view') |
|---|
| | | |
|---|
| | | (Only the highlighted line needs to be added.) |
|---|
| | | (Only the highlighted line, along with its preceding comma, |
|---|
| | | needs to be added.) |
|---|
| | | |
|---|
| | | This allows anyone to invoke these two views. |
|---|
| | | |
|---|
| | |
|---|
| | | :emphasize-lines: 3,6-9,11 |
|---|
| | | :language: python |
|---|
| | | |
|---|
| | | (Only the highlighted lines need to be added.) |
|---|
| | | (Only the highlighted lines, with other necessary modifications, |
|---|
| | | need to be added.) |
|---|
| | | |
|---|
| | | :meth:`~pyramid.view.forbidden_view_config` will be used |
|---|
| | | to customize the default 403 Forbidden page. |
|---|
| | |
|---|
| | | :linenos: |
|---|
| | | :language: python |
|---|
| | | |
|---|
| | | ``login()`` is decorated with two decorators: |
|---|
| | | ``login()`` has two decorators: |
|---|
| | | |
|---|
| | | - a ``@view_config`` decorator which associates it with the |
|---|
| | | ``login`` route and makes it visible when we visit ``/login``, |
|---|
| | | - a ``@forbidden_view_config`` decorator which turns it into |
|---|
| | | an :term:`forbidden view`. ``login()`` will be invoked |
|---|
| | | when a users tries to execute a view callable that |
|---|
| | | they are not allowed to. For example, if a user has not logged in |
|---|
| | | and tries to add or edit a Wiki page, he will be shown the |
|---|
| | | login form before being allowed to continue on. |
|---|
| | | a :term:`forbidden view`. ``login()`` will be invoked |
|---|
| | | when a user tries to execute a view callable for which they lack |
|---|
| | | authorization. For example, if a user has not logged in |
|---|
| | | and tries to add or edit a Wiki page, they will be shown the |
|---|
| | | login form before being allowed to continue. |
|---|
| | | |
|---|
| | | The order of these two :term:`view configuration` decorators |
|---|
| | | is unimportant. |
|---|
| | |
|---|
| | | .. literalinclude:: src/authorization/tutorial/templates/login.pt |
|---|
| | | :language: xml |
|---|
| | | |
|---|
| | | The above template is referred to within the login view we just |
|---|
| | | added to ``views.py``. |
|---|
| | | The above template is referred in the login view that we just added |
|---|
| | | in ``views.py``. |
|---|
| | | |
|---|
| | | Return a logged_in flag to the renderer |
|---|
| | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
| | |
|---|
| | | :emphasize-lines: 4 |
|---|
| | | :language: python |
|---|
| | | |
|---|
| | | (Only the highlighted line needs to be added.) |
|---|
| | | (Only the highlighted line and a trailing comma on the preceding |
|---|
| | | line need to be added.) |
|---|
| | | |
|---|
| | | Add a ``logged_in`` parameter to the return value of |
|---|
| | | ``view_page()``, ``edit_page()`` and ``add_page()``, |
|---|
| | |
|---|
| | | edit_url = edit_url, |
|---|
| | | logged_in = authenticated_userid(request)) |
|---|
| | | |
|---|
| | | (Only the highlighted line needs to be added.) |
|---|
| | | (Only the highlighted line and a trailing comma on the preceding |
|---|
| | | line need to be added.) |
|---|
| | | |
|---|
| | | :meth:`~pyramid.security.authenticated_userid()` will return None |
|---|
| | | if the user is not authenticated, or some user id it the user |
|---|
| | | is authenticated. |
|---|
| | | :meth:`~pyramid.security.authenticated_userid()` will return ``None`` |
|---|
| | | if the user is not authenticated, or a user id if the user is |
|---|
| | | authenticated. |
|---|
| | | |
|---|
| | | Add a "Logout" link when logged in |
|---|
| | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|---|
