diff options
| author | Michael Merickel <michael@merickel.org> | 2020-01-16 10:01:29 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-01-16 10:01:29 -0600 |
| commit | 9c153e1250e00faa06003c10c3a26886489e6210 (patch) | |
| tree | 0bb4743f9e793e73c5f7a369d5744a1eff2e9c00 /docs/narr/security.rst | |
| parent | 912bccb8b715b0249c2c23736c467eaee14a4e3b (diff) | |
| parent | cc26acfd29c94036d1c4d9164dba6a2b7792c00a (diff) | |
| download | pyramid-9c153e1250e00faa06003c10c3a26886489e6210.tar.gz pyramid-9c153e1250e00faa06003c10c3a26886489e6210.tar.bz2 pyramid-9c153e1250e00faa06003c10c3a26886489e6210.zip | |
Merge pull request #3557 from mmerickel/security-docs
update docs to use security policy
Diffstat (limited to 'docs/narr/security.rst')
| -rw-r--r-- | docs/narr/security.rst | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/docs/narr/security.rst b/docs/narr/security.rst index ac64cba0a..b4203161e 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -69,7 +69,7 @@ A simple security policy might look like the following: from pyramid.security import Allowed, Denied class SessionSecurityPolicy: - def identify(self, request): + def authenticated_identity(self, request): """ Return app-specific user object. """ userid = request.session.get('userid') if userid is None: @@ -78,14 +78,14 @@ A simple security policy might look like the following: def authenticated_userid(self, request): """ Return a string ID for the user. """ - identity = self.identify(request) + identity = self.authenticated_identity(request) if identity is None: return None return string(identity.id) def permits(self, request, context, permission): """ Allow access to everything if signed in. """ - identity = self.identify(request) + identity = self.authenticated_identity(request) if identity is not None: return Allowed('User is signed in.') else: @@ -144,7 +144,7 @@ For example, our above security policy can leverage these helpers like so: def __init__(self): self.helper = SessionAuthenticationHelper() - def identify(self, request): + def authenticated_identity(self, request): """ Return app-specific user object. """ userid = self.helper.authenticated_userid(request) if userid is None: @@ -153,14 +153,14 @@ For example, our above security policy can leverage these helpers like so: def authenticated_userid(self, request): """ Return a string ID for the user. """ - identity = self.identify(request) + identity = self.authenticated_identity(request) if identity is None: return None return str(identity.id) def permits(self, request, context, permission): """ Allow access to everything if signed in. """ - identity = self.identify(request) + identity = self.authenticated_identity(request) if identity is not None: return Allowed('User is signed in.') else: @@ -249,7 +249,7 @@ might look like so: class SecurityPolicy: def permits(self, request, context, permission): - identity = self.identify(request) + identity = self.authenticated_identity(request) if identity is None: return Denied('User is not signed in.') @@ -698,7 +698,7 @@ A "secret" is required by various components of Pyramid. For example, the helper below might be used for a security policy and uses a secret value ``seekrit``:: - helper = AuthTktCookieHelper('seekrit', hashalg='sha512') + helper = AuthTktCookieHelper('seekrit') A :term:`session factory` also requires a secret:: @@ -720,6 +720,8 @@ has the possibility of providing a chosen plaintext. single: preventing cross-site request forgery attacks single: cross-site request forgery attacks, prevention +.. _csrf_protection: + Preventing Cross-Site Request Forgery Attacks --------------------------------------------- |