diff options
| author | Theron Luhn <theron@luhn.com> | 2019-12-15 20:27:10 -0800 |
|---|---|---|
| committer | Theron Luhn <theron@luhn.com> | 2019-12-15 20:27:10 -0800 |
| commit | 5f6f7184a997cb2dfa341eef53259d4254a242e8 (patch) | |
| tree | 3b9b015c4c06f2f621ca20d7edf15afe896dc1bb /docs | |
| parent | d79e1dfa0f0f52dbce8ec4a9b08c6ef7740f6dea (diff) | |
| download | pyramid-5f6f7184a997cb2dfa341eef53259d4254a242e8.tar.gz pyramid-5f6f7184a997cb2dfa341eef53259d4254a242e8.tar.bz2 pyramid-5f6f7184a997cb2dfa341eef53259d4254a242e8.zip | |
Remove requirement that identity is validated.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/glossary.rst | 5 | ||||
| -rw-r--r-- | docs/narr/security.rst | 28 |
2 files changed, 21 insertions, 12 deletions
diff --git a/docs/glossary.rst b/docs/glossary.rst index 5edc4eeab..8152c7b96 100644 --- a/docs/glossary.rst +++ b/docs/glossary.rst @@ -303,9 +303,8 @@ Glossary request. Oftentimes this is the ID of the user object in a database. identity - An identity is an object identifying the user associated with the - current request. The identity can be any object, but security policies - should ensure that it represents a valid user (not deleted or deactivated). + An identity is an object identifying the user associated with the current request. + The object can be of any shape, such as a simple ID string or an ORM object. security policy A security policy in :app:`Pyramid` terms is an object implementing the diff --git a/docs/narr/security.rst b/docs/narr/security.rst index cdc16b6a1..60be067bf 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -69,17 +69,21 @@ A simple security policy might look like the following: from pyramid.security import Allowed, Denied class SessionSecurityPolicy: + def authenticated_userid(self, request): + """ Return a string ID for the user. """ + userid = self.identify(request).id + if validate_userid(request, userid): + return userid + else: + return None + def identify(self, request): """ Return app-specific user object. """ - userid = request.session.get('userid') + userid = self.authenticated_userid if userid is None: return None return load_identity_from_db(request, userid) - def authenticated_userid(self, request): - """ Return a string ID for the user. """ - return self.identify(request).id - def permits(self, request, context, permission): """ Allow access to everything if signed in. """ identity = self.identify(request) @@ -141,12 +145,18 @@ For example, our above security policy can leverage these helpers like so: def __init__(self): self.helper = SessionAuthenticationHelper() - def identify(self, request): + def authenticated_userid(self, request): userid = self.helper.authenticated_userid(request) - return load_identity_from_db(request, userid) + if validate_userid(request, userid): + return userid + else: + return None - def authenticated_userid(self, request): - return self.identify(request).id + def identify(self, request): + userid = self.authenticated_userid + if userid is None: + return None + return load_identity_from_db(request, userid) def permits(self, request, context, permission): """ Allow access to everything if signed in. """ |