From 5f6f7184a997cb2dfa341eef53259d4254a242e8 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sun, 15 Dec 2019 20:27:10 -0800 Subject: Remove requirement that identity is validated. --- docs/glossary.rst | 5 ++--- docs/narr/security.rst | 28 +++++++++++++++++++--------- src/pyramid/interfaces.py | 11 +++++------ 3 files changed, 26 insertions(+), 18 deletions(-) diff --git a/docs/glossary.rst b/docs/glossary.rst index 5edc4eeab..8152c7b96 100644 --- a/docs/glossary.rst +++ b/docs/glossary.rst @@ -303,9 +303,8 @@ Glossary request. Oftentimes this is the ID of the user object in a database. identity - An identity is an object identifying the user associated with the - current request. The identity can be any object, but security policies - should ensure that it represents a valid user (not deleted or deactivated). + An identity is an object identifying the user associated with the current request. + The object can be of any shape, such as a simple ID string or an ORM object. security policy A security policy in :app:`Pyramid` terms is an object implementing the diff --git a/docs/narr/security.rst b/docs/narr/security.rst index cdc16b6a1..60be067bf 100644 --- a/docs/narr/security.rst +++ b/docs/narr/security.rst @@ -69,17 +69,21 @@ A simple security policy might look like the following: from pyramid.security import Allowed, Denied class SessionSecurityPolicy: + def authenticated_userid(self, request): + """ Return a string ID for the user. """ + userid = self.identify(request).id + if validate_userid(request, userid): + return userid + else: + return None + def identify(self, request): """ Return app-specific user object. """ - userid = request.session.get('userid') + userid = self.authenticated_userid if userid is None: return None return load_identity_from_db(request, userid) - def authenticated_userid(self, request): - """ Return a string ID for the user. """ - return self.identify(request).id - def permits(self, request, context, permission): """ Allow access to everything if signed in. """ identity = self.identify(request) @@ -141,12 +145,18 @@ For example, our above security policy can leverage these helpers like so: def __init__(self): self.helper = SessionAuthenticationHelper() - def identify(self, request): + def authenticated_userid(self, request): userid = self.helper.authenticated_userid(request) - return load_identity_from_db(request, userid) + if validate_userid(request, userid): + return userid + else: + return None - def authenticated_userid(self, request): - return self.identify(request).id + def identify(self, request): + userid = self.authenticated_userid + if userid is None: + return None + return load_identity_from_db(request, userid) def permits(self, request, context, permission): """ Allow access to everything if signed in. """ diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index 891b851ee..c0ff317a4 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -483,17 +483,16 @@ class IViewMapperFactory(Interface): class ISecurityPolicy(Interface): - def identify(request): - """ Return an object identifying a trusted and verified user for the - current request. The object can be of any shape, such as a simple ID - string or an ORM object. - """ - def authenticated_userid(request, identity): """ Return a :term:`userid` string identifying the trusted and verified user, or ``None`` if unauthenticated. """ + def identify(request): + """ Return the :term:`identity` of the current user. The object can be + of any shape, such as a simple ID string or an ORM object. + """ + def permits(request, context, permission): """ Return an instance of :class:`pyramid.security.Allowed` if a user of the given identity is allowed the ``permission`` in the current -- cgit v1.2.3