mmerickel / pyramid_auth_demo Goto Github PK

Demo of Pyramid's authorization capabilities using URL Dispatch.

Home Page: https://michael.merickel.org/projects/pyramid_auth_demo/

Python 70.61% Mako 29.39%

pyramid_auth_demo's Introduction

Pyramid has the ability to handle complex authentication and authorization patterns. How to do so is a constant source of frustration for new users. This is a demo intended to showcase Pyramid's authorization capabilities. A lot of the demo focuses on URL Dispatch. If you are interested in traversal, do not despair as authorization via traversal is virtually indistinguishable from the object-level security demo and all of the concepts learned transfer over easily.

This demo is built around a wiki-style website to allows users to view and create pages. The supported URL structure is as follows:

/
/login
/logout

/users
/user/{login}

/pages
/create_page
/page/{title}
/page/{title}/edit

There are 3 different projects in this demo. Each project will add varying levels of functionality to this application:

Base Application

Allow anyone to do anything. This is the base website we'll be starting with to demonstrate different levels of security.
Group-Level Security

Allow users different privileges based on their 'group'.

For example, users 'michael' and 'chris' are in the 'admin' group, while 'bob' is only in the 'user' group.
Object-Level Security

Permit users access to all Page objects for which they are tagged as the owner, or permit a user to access only his or her User object.

For example, 'michael' created the 'Demo' Page object, thus he can 'edit' and 'delete' it. But he cannot 'edit' or 'delete' the 'Pyramid' Page because he is not the owner.

Please reference the documentation in the docs/ directory for explanations of the different projects and levels of security. A rendered version of the documentation can be found at http://michael.merickel.org/projects/pyramid_auth_demo.

pyramid_auth_demo's People

Contributors

Stargazers

Watchers

pyramid_auth_demo's Issues

Recommended auth framework that follows these principles?

Not an issue with your demo (which is very helpful - thanks), but more wondering if there's a good pyramid framework that implements these basic principles (especially one that has a ready integration with SQLAlchemy).

I'm half-tempted to try writing one myself based on this tutorial, but I know I've got a long way to go to write something good in Pyramid, and wondered if there's something already available.

How to set the acl property of Sqlalchemy domain class?

I am a novice.

I tried to learn the pyramid authen demo like this way, but the code does not work.....

class Article(Base):
tablename = 'articles'
id = Column(Integer, primary_key=True)
title = Column(String(255), nullable=False)
content = Column(Text)
created_at = Column(DateTime, nullable=False, default=datetime.now())
edited_at = Column(DateTime, nullable=False, default=datetime.now())
user_id = Column(Integer, ForeignKey('tg_user.user_id'))
author = relationship('User', backref=backref("articles", lazy='dynamic'))

@Property
def acl(self):
return [
(Allow, self.author, 'edit'), # right? wrong?
]

def init(self, title, content, author):
self.title = title
self.content = content
self.author = author
@view_config(route_name="create_article", renderer="templates/create_article.jinja2",
permission="create")
def create_article(request):
logged_in = request.authenticated_userid

author = User.by_email_address(logged_in)

article = Article(title="", content="", author=author)

if 'form.submitted' in request.params:
title = request.params['title']
content = request.params['content']
article = Article(title=title, content=content, author=author)
DBSession.add(article)
DBSession.flush()
return HTTPFound(location=request.route_url('show_article', article_id=article.id))

return dict(
article=article,
save_url = request.route_url('create_article'),
logged_in = request.authenticated_userid
)

Is there anything wrong with what I'm doing?

PyramidAuthDemo http://michael.merickel.org/projects/pyramid_auth_demo/

Use pure traversal rather than hybrid routing

It would be nice to use pure traversal for the view configs here (I mean view_config with context + name rather than route_name + factory + traverse for page list, view, edit). This would make this repo a nice, small example of traversal.

(Selfish request as I am re-learning traversal subtleties using wiki example from Pyramid docs, this repo (thanks!), a couple gists like https://gist.github.com/hadrien/8658263 and https://gist.github.com/hadrien/0efa49ca8837f948d63c and other resources)

Home and login would keep their routes and views.

mmerickel / pyramid_auth_demo Goto Github PK

pyramid_auth_demo's Introduction

pyramid_auth_demo's People

Contributors

Stargazers

Watchers

Forkers

pyramid_auth_demo's Issues

Recommended auth framework that follows these principles?

How to set the acl property of Sqlalchemy domain class?

Use pure traversal rather than hybrid routing

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent