I resolved the problem by creating custom authorization policy. I'm not
sure is it secure, but at this moment works good.
In resource class the only modification is extended custom tuple like:
(Allow, self.calendar_permissions('edit'), 'edit_calendar', 'bool')
where calendar_permission function returns 'bool' value.
My authorization policy class has default_acl field and permits function:
default_acl = [
(Allow, Everyone, 'login_view'),
(Allow, Authenticated, 'auth_user'),
]
def permits(self, context, principals, permission):
request = context.request
if request.user:
acl = [x for x in context.__acl__() + self.default_acl if x[2]
== permission]
for access in acl:
if len(access) == 4:
if access[3] == 'bool':
return access[1]
else:
if access[1] in principals:
return True
return True
elif type(context) is RootFactory\
and request.route_url('login') in request.url\
and permission == 'login_view':
return True
raise HTTPForbidden
On Saturday, August 13, 2016 at 9:53:09 PM UTC+2, Aleksander Philips wrote:
>
> Hello,
>
> My project has included some simple authentication with route factory:
> # security.py
> def effective_principals(self, request):
> principals = [Everyone]
> user = request.user
> if user is not None:
> principals.append(Authenticated)
> principals.append(str(user.user_id))
> return principals
>
>
>
> # routes.py
> config.add_handler('calendar', 'calendar/{action}', factory=
> calendar_factory,
> handler=CalendarView)
>
> def calendar_factory(request):
> if 'calendar_id' not in request.params:
> return CalendarResource(Calendar())
> calendar_id = request.params.get('calendar_id')
> calendar = request.dbsession.query(Calendar)\
> .filter_by(calendar_id=calendar_id).first()
> if calendar is None:
> raise HTTPNotFound
>
> return CalendarResource(calendar)
>
>
> class CalendarResource():
> def __init__(self, calendar):
> self.calendar = calendar
>
> def __acl__(self):
> return [
> (Allow, Authenticated, 'view_calendar'),
> (Allow, Everyone, 'add_calendar'),
> (Allow, str(self.calendar.user_id), 'edit_calendar')
> ]
>
> which works nice if user requests own calendar, but not if he tries to get
> shared one. I tried to append request.effective_principals like this:
> calendar_permissions = request.dbsession.query(CalendarPermission.
> cp_id, CalendarPermission.perm_type)\
> .filter_by(calendar_id=calendar_id)\
> .all()
> request.effective_principals.append(calendar_permissions)
>
>
> but it doesn't appends effective_principals list. I got stuck hardly there
> and I really can't find a way to update dynamically principals. I would be
> grateful guys if you can help me resolve this problem.
>
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/pylons-discuss/981727cb-d818-4b13-b1e5-bab20f3ee9db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
