diff options
| author | Chris McDonough <chrism@agendaless.com> | 2009-05-25 01:37:25 +0000 |
|---|---|---|
| committer | Chris McDonough <chrism@agendaless.com> | 2009-05-25 01:37:25 +0000 |
| commit | 7d1da854e77b56ab6e50f0b8a3e0e61d8ebfb7a7 (patch) | |
| tree | c90afb9a21697481fd272555fd9c60da31ffd72b /repoze/bfg/security.py | |
| parent | 267f2db66f514db43d0801237213799cd6797ee4 (diff) | |
| download | pyramid-7d1da854e77b56ab6e50f0b8a3e0e61d8ebfb7a7.tar.gz pyramid-7d1da854e77b56ab6e50f0b8a3e0e61d8ebfb7a7.tar.bz2 pyramid-7d1da854e77b56ab6e50f0b8a3e0e61d8ebfb7a7.zip | |
IForbiddenAppFactory -> IForbiddenResponseFactory.
Diffstat (limited to 'repoze/bfg/security.py')
| -rw-r--r-- | repoze/bfg/security.py | 63 |
1 files changed, 59 insertions, 4 deletions
diff --git a/repoze/bfg/security.py b/repoze/bfg/security.py index ba89a80e3..81ecf88ee 100644 --- a/repoze/bfg/security.py +++ b/repoze/bfg/security.py @@ -1,3 +1,6 @@ +from webob import Response +from cgi import escape + from zope.component import queryUtility from zope.deprecation import deprecated from zope.interface import implements @@ -7,6 +10,7 @@ from repoze.bfg.location import lineage from repoze.bfg.interfaces import ISecurityPolicy from repoze.bfg.interfaces import IViewPermission from repoze.bfg.interfaces import IViewPermissionFactory +from repoze.bfg.interfaces import IResponseFactory from repoze.bfg.wsgi import Unauthorized as UnauthorizedApp @@ -78,7 +82,9 @@ def principals_allowed_by_permission(context, permission): class ACLSecurityPolicy(object): implements(ISecurityPolicy) - + + forbidden_status = '401 Unauthorized' # b/c, should be 403 + def __init__(self, get_principals): self.get_principals = get_principals @@ -148,7 +154,11 @@ class ACLSecurityPolicy(object): return [] def forbidden(self, context, request): - return UnauthorizedApp() + body, headerlist = _forbidden_html(request, self.forbidden_status) + response_factory = queryUtility(IResponseFactory, default=Response) + return response_factory(status = self.forbidden_status, + headerlist = headerlist, + app_iter = body) class InheritingACLSecurityPolicy(object): """ A security policy which uses ACLs in the following ways: @@ -194,7 +204,9 @@ class InheritingACLSecurityPolicy(object): ``authenticated_userid``). """ implements(ISecurityPolicy) - + + forbidden_status = '401 Unauthorized' # b/c, should be 403 + def __init__(self, get_principals): self.get_principals = get_principals @@ -274,7 +286,11 @@ class InheritingACLSecurityPolicy(object): return allowed def forbidden(self, context, request): - return UnauthorizedApp() + body, headerlist = _forbidden_html(request, self.forbidden_status) + response_factory = queryUtility(IResponseFactory, default=Response) + return response_factory(status = self.forbidden_status, + headerlist = headerlist, + app_iter = body) def get_remoteuser(request): user_id = request.environ.get('REMOTE_USER') @@ -491,6 +507,27 @@ def WhoInheritingACLSecurityPolicy(): """ return InheritingACLSecurityPolicy(get_who_principals) +## class StandaloneInheritingACLSecurityPolicy(InheritingACLSecurityPolicy): +## def __init__(self, get_principals, login_view_name='login_view', +## forbidden_view_name='forbidden_view'): +## self.get_principals = get_principals +## self.login_view_name = login_view_name +## self.forbidden_view_name = forbidden_view_name + +## def forbidden(self, context, request): +## from repoze.bfg.view import render_view_to_response +## from webob import Response + +## userid = self.authenticated_userid(request) + +## if userid is None: +## view_name = self.login_view_name +## else: +## view_name = self.forbidden_view_name + +## return render_view_to_response(context, request, name=view_name, +## secure=False) + class PermitsResult(int): def __new__(cls, s, *args): inst = int.__new__(cls, cls.boolval) @@ -603,3 +640,21 @@ class ViewPermissionFactory(object): class Unauthorized(Exception): pass +def _forbidden_html(request, status): + try: + msg = escape(request.environ['repoze.bfg.message']) + except KeyError: + msg = '' + html = """ + <html> + <title>%s</title> + <body> + <h1>%s</h1> + <code>%s</code> + </body> + </html> + """ % (status, status, msg) + headers = [('Content-Length', str(len(html))), + ('Content-Type', 'text/html')] + return [html], headers + |