Yes, that much I understood from the documentation, but for example this
is from the pyramid.security documentation:
headers = remember(request, 'chrism', password='123', max_age='86400')
From which I gather that password and max_age are the kw params where
"meaning of **kw must be agreed upon by the calling code and the
effective authentication policy."
I suppose these are all set in the cookie, so my question is how are
those params (and where) read back by the application?
Regarding the groupfinder, I do understand your example, but my question
still remains. Can I somehow set the principals once, presumably in the
tkt cookie itself (remember() ? ). I don't want to lookup what is
basically "static" data upon each request, if that can be resolved once
upon login and valid for the duration of the cookie.
Thanks,
Vlad
On 03/24/2011 07:20 PM, Parnell Springmeyer wrote:
"Vlad K."<[email protected]> writes:
First of all, I don't quite understand the kw params of the remember()
function. If those params are app specific, where can they be "read"
and used after remembering?
I use it like this:
headers = remember(request, user.id)
return HTTPFound(location=resource_url(somecontext, request),
headers=headers)
Furthermore, is the groupfinder callback really needed? Can't all the
relevant user data (say userid, and group principals) be set via the
signed cookie? In other words, how can I prevent (db storage) lookup
upon each request and rely only on the data in the ticket cookie?
After all, the userid and group is usually (at least in my case) set
upon login and does not have to be looked up for existence upon each
request.
For my app, a user can have many different "roles" (or groups in this
case) so I use the groupfinder callback to, essentially, look up all of
the roles relevant to a given user.
A function in my user model module:
def role_filter(user_id, request):
session = DBSession()
user = session.query(User).filter(User.id==user_id).first()
if user:
return [('group:%s' % role.name) for role in user.rolez]
else:
return None
Then inside __init__.py when configuring the Configurator:
config = Configurator(settings=settings,
root_factory=get_root,
session_factory=session_factory_from_settings(settings),
authentication_policy=AuthTktAuthenticationPolicy('somesecritkey',
timeout=1800, reissue_time=180, callback=role_filter),
authorization_policy=ACLAuthorizationPolicy())
Then in my resources.py module I define the acls with the resources, the
login resource (clipped for brevity) for example:
class LoginResource(object):
"""A resource for login."""
__acl__ = [(Deny, Authenticated, ALL_PERMISSIONS), (Allow, Everyone,
('read', 'write'))]
Or you can (Allow, 'group:writer', ('read', 'write')) on some other
resource assuming one of the user's groups is "writer".
Hope that helps (btw, if anyone has a way that is better than mine,
please speak up!).
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
