On May 27, 2014, at 23:20 , Gerhard Schmidt <[email protected]> wrote:
> On 27.05.2014 18:22, Tres Seaver wrote:
>> On 05/27/2014 10:20 AM, Gerhard Schmidt wrote:
>>
>>> Maybe I'm doing the whole thing wrong and there is a better way to do
>>> this.
>>
>> Use the a 'request.has_permission' check to filter the suboboejcts, e.g.::
>>
>> alllowed = [x for x in context.getClubs()
>> if request.has_permission('view', x]
>
> That one has the same Problem.
>
> The context loss here is at pyramid/security.py line 387 says
> principals = authn_policy.effective_principals(self).
>
> So again only the principals of the root container are return and passed
> in the next line to
> authz_policy.permits(context, principals, permission)
> which fails because the group define in the context is not in principals.
>
> The problem is that the authentication policy is not context aware.
>
> Regards
> Estartu
>
> --
> ----------------------------------------------------------------------------
> Gerhard Schmidt | http://www.augusta.de/~estartu/ |
> Fischbachweg 3 | | PGP Public Key
> 86856 Hiltenfingen | JabberID: [email protected] | auf Anfrage/
> Tel: 08232 77 36 4 | | on request
> Fax: 08232 77 36 3 | |
>
effective_principals(self)
returns a list of effective_principals according to the authentication policy
and has nothing to do with the root context/container.
If your effective_principals returns:
group:admin, group:mods, group:staff, username
And your context has:
Allowed -> group:admin -> view
Then request.has_permission(‘view’, x) will return True.
Otherwise the user clearly doesn’t have view permissions because they aren’t in
the right group, or any groups at all, and thus False will be returned.
Bert
smime.p7s
Description: S/MIME cryptographic signature
