[pylons-discuss] minimal auth/security policy implementation

Sat, 22 May 2021 14:16:39 -0700 

Hi,

I've been using the following auth policies for years, it's been working 
fine:

    authn_policy = CustomSessionAuthenticationPolicy()
    authz_policy = ACLAuthorizationPolicy()

    config = Configurator(
        settings=settings,
        root_factory=RootFactory,
        authentication_policy=authn_policy,
        authorization_policy=authz_policy,
    )


class RootFactory(object):
    __acl__ = [
        (Allow, Authenticated, 'user'),
        (Allow, 'g:admin', 'admin'),
        (Allow, 'g:superadmin', ALL_PERMISSIONS),
    ]

    def __init__(self, request):
        pass



class CustomSessionAuthenticationPolicy(SessionAuthenticationPolicy):
    def authenticated_userid(self, request):
        return request.user.id

    def effective_principals(self, request):
        principals = [Everyone]
        if request.user:
            principals += [Authenticated]

            if request.user.id == 1:
                principals += ['g:superadmin', 'g:admin']

        return principals

---

I'm trying to migrate off from this, as I simply don't understand what is 
happening behind and I prefer a much simpler view deriver based approach.

Basically, with a couple of view derivers I could solve all my problems in 
a few hours, and it also allows me much more flexibility. For example for 
some views now I can do auth based on API tokens, while most of the views 
are using session based auth.

My questions is, how can I make the auth/security policies as simple as 
possible? All I need is working CSRF,  remember and forget.

I'm on 1.10 but I'm happy to migrate to 2.0 if that allows a simplified 
approach.

So far I was able to get it down to this:

    config = Configurator(
        settings=settings,
        root_factory=RootFactory,
        authentication_policy=SessionAuthenticationPolicy(),
    )

class RootFactory(object):
    __acl__ = [
        (Allow, Authenticated, 'user'),
    ]

    def __init__(self, request):
        pass

Session is via pyramid_session_redis.

Thanks,
Zsolt




-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/60c5a72f-c847-46a9-8e5f-3ed2521f55a1n%40googlegroups.com.

Reply via email to