summaryrefslogtreecommitdiff
path: root/docs/tutorials/wiki2
diff options
context:
space:
mode:
Diffstat (limited to 'docs/tutorials/wiki2')
-rw-r--r--docs/tutorials/wiki2/authentication.rst15
-rw-r--r--docs/tutorials/wiki2/src/authentication/tutorial/security.py2
-rw-r--r--docs/tutorials/wiki2/src/authentication/tutorial/templates/layout.jinja24
-rw-r--r--docs/tutorials/wiki2/src/authentication/tutorial/views/auth.py2
-rw-r--r--docs/tutorials/wiki2/src/authentication/tutorial/views/default.py6
5 files changed, 12 insertions, 17 deletions
diff --git a/docs/tutorials/wiki2/authentication.rst b/docs/tutorials/wiki2/authentication.rst
index 4d8723176..414d6c879 100644
--- a/docs/tutorials/wiki2/authentication.rst
+++ b/docs/tutorials/wiki2/authentication.rst
@@ -10,8 +10,7 @@ APIs to add login and logout functionality to our wiki.
We will implement authentication with the following steps:
-* Add a :term:`security policy` and a ``request.user`` computed property
- (``security.py``).
+* Add a :term:`security policy` (``security.py``).
* Add routes for ``/login`` and ``/logout`` (``routes.py``).
* Add login and logout views (``views/auth.py``).
* Add a login template (``login.jinja2``).
@@ -41,10 +40,8 @@ Update ``tutorial/security.py`` with the following content:
:linenos:
:language: python
-Here we've defined:
-
-* A new security policy named ``MySecurityPolicy``, which is implementing most of the :class:`pyramid.interfaces.ISecurityPolicy` interface by tracking a :term:`identity` using a signed cookie implemented by :class:`pyramid.authentication.AuthTktCookieHelper` (lines 8-34).
-* The ``request.user`` computed property is registered for use throughout our application as the authenticated ``tutorial.models.User`` object for the logged-in user (line 42-44).
+Here we've defined a new security policy named ``MySecurityPolicy``, which is implementing most of the :class:`pyramid.interfaces.ISecurityPolicy` interface by tracking a :term:`identity` using a signed cookie implemented by :class:`pyramid.authentication.AuthTktCookieHelper` (lines 8-34).
+The security policy outputs the authenticated ``tutorial.models.User`` object for the logged-in user as the :term:`identity`, which is available as ``request.identity``.
Our new :term:`security policy` defines how our application will remember, forget, and identify users.
It also handles authorization, which we'll cover in the next chapter (if you're wondering why we didn't implement the ``permits`` method yet).
@@ -64,7 +61,7 @@ Identifying the current user is done in a few steps:
#. The result is stored in the ``identity_cache`` which ensures that subsequent invocations return the same identity object for the request.
-Finally, :attr:`pyramid.request.Request.identity` contains either ``None`` or a ``tutorial.models.User`` instance and that value is aliased to ``request.user`` for convenience in our application.
+Finally, :attr:`pyramid.request.Request.identity` contains either ``None`` or a ``tutorial.models.User`` instance.
Note the usage of the ``identity_cache`` is optional, but it has several advantages in most scenarios:
@@ -156,7 +153,7 @@ Only the highlighted lines need to be changed.
If the user either is not logged in or is not in the ``basic`` or ``editor`` roles, then we raise ``HTTPForbidden``, which will trigger our forbidden view to compute a response.
However, we will hook this later to redirect to the login page.
-Also, now that we have ``request.user``, we no longer have to hard-code the creator as the ``editor`` user, so we can finally drop that hack.
+Also, now that we have ``request.identity``, we no longer have to hard-code the creator as the ``editor`` user, so we can finally drop that hack.
These simple checks should protect our views.
@@ -266,7 +263,7 @@ indicated by the highlighted lines.
:emphasize-lines: 2-12
:language: html
-The ``request.user`` will be ``None`` if the user is not authenticated, or a
+The ``request.identity`` will be ``None`` if the user is not authenticated, or a
``tutorial.models.User`` object if the user is authenticated. This check will
make the logout link shown only when the user is logged in, and conversely the
login link is only shown when the user is logged out.
diff --git a/docs/tutorials/wiki2/src/authentication/tutorial/security.py b/docs/tutorials/wiki2/src/authentication/tutorial/security.py
index a4843f286..e0d8ed965 100644
--- a/docs/tutorials/wiki2/src/authentication/tutorial/security.py
+++ b/docs/tutorials/wiki2/src/authentication/tutorial/security.py
@@ -40,5 +40,3 @@ def includeme(config):
config.set_default_csrf_options(require_csrf=True)
config.set_security_policy(MySecurityPolicy(settings['auth.secret']))
- config.add_request_method(
- lambda request: request.identity, 'user', property=True)
diff --git a/docs/tutorials/wiki2/src/authentication/tutorial/templates/layout.jinja2 b/docs/tutorials/wiki2/src/authentication/tutorial/templates/layout.jinja2
index 64a1db0c5..5d6a23410 100644
--- a/docs/tutorials/wiki2/src/authentication/tutorial/templates/layout.jinja2
+++ b/docs/tutorials/wiki2/src/authentication/tutorial/templates/layout.jinja2
@@ -33,13 +33,13 @@
</div>
<div class="col-md-10">
<div class="content">
- {% if request.user is none %}
+ {% if request.identity is none %}
<p class="pull-right">
<a href="{{ request.route_url('login') }}">Login</a>
</p>
{% else %}
<form class="pull-right" action="{{ request.route_url('logout') }}" method="post">
- {{request.user.name}}
+ {{request.identity.name}}
<input type="hidden" name="csrf_token" value="{{ get_csrf_token() }}">
<button class="btn btn-link" type="submit">Logout</button>
</form>
diff --git a/docs/tutorials/wiki2/src/authentication/tutorial/views/auth.py b/docs/tutorials/wiki2/src/authentication/tutorial/views/auth.py
index e1a564415..e66c68a34 100644
--- a/docs/tutorials/wiki2/src/authentication/tutorial/views/auth.py
+++ b/docs/tutorials/wiki2/src/authentication/tutorial/views/auth.py
@@ -53,7 +53,7 @@ def logout(request):
@forbidden_view_config(renderer='tutorial:templates/403.jinja2')
def forbidden_view(exc, request):
- if request.user is None:
+ if request.identity is None:
next_url = request.route_url('login', _query={'next': request.url})
return HTTPSeeOther(location=next_url)
diff --git a/docs/tutorials/wiki2/src/authentication/tutorial/views/default.py b/docs/tutorials/wiki2/src/authentication/tutorial/views/default.py
index 378ce0ae9..4fb715737 100644
--- a/docs/tutorials/wiki2/src/authentication/tutorial/views/default.py
+++ b/docs/tutorials/wiki2/src/authentication/tutorial/views/default.py
@@ -45,7 +45,7 @@ def view_page(request):
def edit_page(request):
pagename = request.matchdict['pagename']
page = request.dbsession.query(models.Page).filter_by(name=pagename).one()
- user = request.user
+ user = request.identity
if user is None or (user.role != 'editor' and page.creator != user):
raise HTTPForbidden
if request.method == 'POST':
@@ -60,7 +60,7 @@ def edit_page(request):
@view_config(route_name='add_page', renderer='tutorial:templates/edit.jinja2')
def add_page(request):
- user = request.user
+ user = request.identity
if user is None or user.role not in ('editor', 'basic'):
raise HTTPForbidden
pagename = request.matchdict['pagename']
@@ -70,7 +70,7 @@ def add_page(request):
if request.method == 'POST':
body = request.params['body']
page = models.Page(name=pagename, data=body)
- page.creator = request.user
+ page.creator = request.identity
request.dbsession.add(page)
next_url = request.route_url('view_page', pagename=pagename)
return HTTPSeeOther(location=next_url)
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-11 16:37:47 +0000