CSRF has nothing to do with authentication other than that you should rotate it at login/logout privilege boundaries at the very least.
You can use the CSRF system without configuring a security/auth policy at all. - Michael > On May 24, 2021, at 14:40, Zsolt Ero <[email protected]> wrote: > > Hi Theron, > > Thanks for your reply. It looks indeed simpler. How much more minimal can I > make it? I definitely want to "circumvent" the whole security system, I'm > perfectly happy with using my new require_admin=True like options. > > I just want CSRF to work and it seems to be dependent on RootFactory being > defined, which I don't understand. > > Zsolt > > > > > > > On 24. May 2021 at 20:31:45, Theron Luhn <[email protected] > <mailto:[email protected]>> wrote: > You may have better luck with the Pyramid 2.0 security system. It’s much > simpler for cases like yours where you don’t need ACL. For example, your > implementation might look like: > > class CustomSecurityPolicy: > def identity(self, request): > return request.user > > def authenticated_userid(self, request): > return request.user.id <http://request.user.id/> if request.user else None > > def permits(self, request, context, permission): > if permission == ‘user’ and request.user: > return Allowed(‘User is signed in.’) > elif permission == ‘admin’ and request.user and request.user.id > <http://request.user.id/> == 1: > return Allowed(‘Admin user is signed in.’) > else: > return Denied(‘Access is not allowed.’) > > def remember(request, userid, **kw): > … # Same as before > > def forget(request, **kw): > … > > That’s all. No ACL or root factory, just identity()/authenticated_userid() > returning the current user and permits() giving a thumbs up or down if access > should be allowed. Docs: > https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/security.html > <https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/security.html> > > > View derivers would certainly work. After all, the security system itself is > implemented with a view deriver. But personally I would avoid circumventing > the entire security system like that. > > — Theron > > > >> On May 22, 2021, at 2:16 PM, [email protected] <http://gmail.com/> >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hi, >> >> I've been using the following auth policies for years, it's been working >> fine: >> >> authn_policy = CustomSessionAuthenticationPolicy() >> authz_policy = ACLAuthorizationPolicy() >> >> config = Configurator( >> settings=settings, >> root_factory=RootFactory, >> authentication_policy=authn_policy, >> authorization_policy=authz_policy, >> ) >> >> >> class RootFactory(object): >> __acl__ = [ >> (Allow, Authenticated, 'user'), >> (Allow, 'g:admin', 'admin'), >> (Allow, 'g:superadmin', ALL_PERMISSIONS), >> ] >> >> def __init__(self, request): >> pass >> >> >> >> class CustomSessionAuthenticationPolicy(SessionAuthenticationPolicy): >> def authenticated_userid(self, request): >> return request.user.id <http://request.user.id/> >> >> def effective_principals(self, request): >> principals = [Everyone] >> if request.user: >> principals += [Authenticated] >> >> if request.user.id <http://request.user.id/> == 1: >> principals += ['g:superadmin', 'g:admin'] >> >> return principals >> >> --- >> >> I'm trying to migrate off from this, as I simply don't understand what is >> happening behind and I prefer a much simpler view deriver based approach. >> >> Basically, with a couple of view derivers I could solve all my problems in a >> few hours, and it also allows me much more flexibility. For example for some >> views now I can do auth based on API tokens, while most of the views are >> using session based auth. >> >> My questions is, how can I make the auth/security policies as simple as >> possible? All I need is working CSRF, remember and forget. >> >> I'm on 1.10 but I'm happy to migrate to 2.0 if that allows a simplified >> approach. >> >> So far I was able to get it down to this: >> >> config = Configurator( >> settings=settings, >> root_factory=RootFactory, >> authentication_policy=SessionAuthenticationPolicy(), >> ) >> >> class RootFactory(object): >> __acl__ = [ >> (Allow, Authenticated, 'user'), >> ] >> >> def __init__(self, request): >> pass >> >> Session is via pyramid_session_redis. >> >> Thanks, >> Zsolt >> >> >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pylons-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <mailto:[email protected]>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/pylons-discuss/60c5a72f-c847-46a9-8e5f-3ed2521f55a1n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/pylons-discuss/60c5a72f-c847-46a9-8e5f-3ed2521f55a1n%40googlegroups.com?utm_medium=email&utm_source=footer>. > > > -- > You received this message because you are subscribed to a topic in the Google > Groups "pylons-discuss" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/pylons-discuss/7BKhj0G-mbg/unsubscribe > <https://groups.google.com/d/topic/pylons-discuss/7BKhj0G-mbg/unsubscribe>. > To unsubscribe from this group and all its topics, send an email to > [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/19F53725-D9C4-4D09-950A-CD92C46CBDCF%40luhn.com > > <https://groups.google.com/d/msgid/pylons-discuss/19F53725-D9C4-4D09-950A-CD92C46CBDCF%40luhn.com?utm_medium=email&utm_source=footer>. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/CAKw-smAdWJ%2BmDECNe5M4biR4yis%3DB-_11s5FERairOFcUA1vFw%40mail.gmail.com > > <https://groups.google.com/d/msgid/pylons-discuss/CAKw-smAdWJ%2BmDECNe5M4biR4yis%3DB-_11s5FERairOFcUA1vFw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/7840E9E9-192A-4230-A726-43447FDCE5C6%40gmail.com.
