All geek questions in one place

Dynamic user-based authorization in Pyramid

I follow the security rules found in Pyramid docs along with the wiki tutorial Adding authorization

Now I need to add restrictions based on only one user, and not on groups.

Let's say, for example, that if a blog editor can have permission to view all comments, only the author of the message can edit the post itself .

For the first task, I will have in my root ACL like this:

__acl__ = [ (Allow, Everyone, 'view'), (Allow, Authenticated, 'view_profile'), (Allow, 'groups:editor', 'edit_comment') ]

but about that for edit_post ?

I read this answer , but it seems to me that it is too difficult for me, because I do not need to create a resource tree.

+6
source share
2 answers

Perhaps this is too complicated. First, show the link to the edit_post if the visitor is the author of the post. This will handle 99% of the problem, making this view invisible to people who should not see it. For the other 1% - smart users, manually editing the URL for direct access to the edit view - add something like this:

 def edit_post(request): ... if authenticated_userid(request) != author: raise pyramid.httpexceptions.HTTPForbidden("You are not this post author.")
+4
source

You already have a Resource Tree by creating a Root resource in your project. You just need to add a node to it for posts , which will return a Post object with a specific __acl__ that contains only the authorized user ID. Then you can use the edit_posts traverse='/posts/{post_id}' route edit_posts traverse='/posts/{post_id}' resource tree to the Post object using __acl__ on it.

It's not complicated, and this is the way to get Pyramid to do it for you.

If you do not want to use the permission argument, you can do authorization inside the view itself, as Kirk suggested.

In addition, if you do not like this method of adding __acl__ properties and workarounds for authorization, you can implement your own AuthorizationPolicy to do what you would like to do with this list of principles and permission.

The point of the Pyramid auth system is that it is there, which is great. Pyramid by no means requires you to use it, and for views that do not use it, there is no effect on the performance of working with it.

+8
source

Source: https://habr.com/ru/post/892051/

More articles:


All Articles