The policy is invoked anytime request.authenticated_id is requested which
includes request.effective_principals which would occur for any call to
request.has_permission. A common approach is to create request.user which
is reified from request.unauthenticated_userid and then you configure
request.authenticated_userid to use the id from request.user. Similarly you
configure request.effective_principals to use request.user to generate the
principals (from within your policy callback).
FWIW I highly recommend using a subclass approach instead of using the
callback as I think it's vastly more clear (shown below):
class MyAuthenticationPolicy(SessionAuthenticationPolicy):
def authenticated_userid(self, request):
user = request.user
if user is not None:
return user.id
def effective_principals(self, request):
user = request.user
principals = [Everyone]
if user is not None:
principals += [
Authenticated,
'u:{}'.format(user.id),
... # any other principals
]
def get_user(request):
userid = request.unauthenticated_userid
# validate userid with the database and load the user object
user = request.dbsession.query(User).get(userid)
return user
config.add_request_method(get_user, 'user', reify=True)
Extending the policies is documented here:
https://docs.pylonsproject.org/projects/pyramid/en/1.9-branch/narr/security.html#extending-default-authentication-policies
This will not prevent effective_principals from doing lots of work... you
could setup a cache on the request for that as well if you wanted, but
usually the main work is done loading the user object which we have
optimized away.
It is up to you to deal with the implications of caching the user and
avoiding recomputations... if you change the user's logged-in status etc
they will still show up as logged in from the perspective of the request.
It will only affect later requests. This is fine for most people but you
need to be aware of it.
- Michael
On Thu, Nov 16, 2017 at 7:35 AM, tonthon <[email protected]> wrote:
> Hi,
>
> I'm using the SessionAuthenticationPolicy with a callback used to retrieve
> groups.
>
> I'm wondering :
>
> When is that callback called (it appears to be called a large number of
> times inside the same request) ?
>
> Could it be reifyed without any security risk ?
>
> Thanks in advance
>
> Regards,
>
> Gaston Tjebbes
>
> http://majerti.fr
>
> --
> You received this message because you are subscribed to the Google Groups
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/pylons-discuss/b55f0dee-dc5b-f97f-3e11-ae340f973d68%40gmail.com
> <https://groups.google.com/d/msgid/pylons-discuss/b55f0dee-dc5b-f97f-3e11-ae340f973d68%40gmail.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwGbqm-ncD8wNATMnmtbNVOGYdkdjRx9-8tR-%3DeXNR3H8Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
