[pylons-discuss] How to do has_permission() for a different identity?

Tue, 26 Nov 2024 05:48:29 -0800 

How can a Pyramid app do a permissions check for an identity that *isn't* the 
identity authenticated by the current request?

For example our app has an API that users can use to flag a post in a group as 
inappropriate. When this happens the app sends a notification email to every 
user who has permission to moderate posts in the group (all the group's 
moderators). So the code needs to iterate over all the group's members and ask 
"Does this user have permission to moderate posts in this group?"

In our app the way we've implemented this is that our security policy's 
`permits(request, context, permission)` method delegates to an 
`identity_permits(identity, context, permission)` function:

    class MySecurityPolicy:
        ...
        def permits(self, request, context, permission):
            return identity_permits(request.identity, context, permission)

    def identity_permits(identity, context, permission):
        ...

The view code that sends these email notifications can then do something like 
this:

    context = MyContext(...)

    for user in group.users:
        identity = MyIdentity(user, ...)

        if identity_permits(identity, context, permission="moderate"):
            # Send the email.

But I'm wondering if there's a more pure Pyramid way to do this, without the 
custom `identity_permits()` indirection?

I think you might have to do something like this:

    context = MyContext(...)
    for user in group.users:
        request = Request(...)
        if request.has_permission(context, permission="moderate"):
            # Send the email.

That is: construct a request object for each user just to make one 
has_permission() call on that request object.

But this requires there to be a way to construct a request object that will 
read as authenticated as a particular user. May need to use paster_bootstrap()?

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/pylons-discuss/d324d643-7682-41b3-8c8b-f574634ae7ec%40app.fastmail.com.

Reply via email to