From a435dba13c6bc0fd0199d06fdbb3e43a4f1263c7 Mon Sep 17 00:00:00 2001 From: Patricio Paez Date: Sat, 7 Apr 2012 10:51:58 -0500 Subject: Normalize Authorization in both tutorials 1 - Sync the content of the introduction and the Viewing the Application in a Browser sections - Sync the section structure --- docs/tutorials/wiki2/authorization.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'docs/tutorials/wiki2') diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst index 14b075ce6..9f2ffe9e1 100644 --- a/docs/tutorials/wiki2/authorization.rst +++ b/docs/tutorials/wiki2/authorization.rst @@ -8,9 +8,9 @@ Adding Authorization :term:`authorization`. We'll make use of both features to provide security to our application. Our application currently allows anyone with access to the server to view, edit, and add pages to our wiki. We'll change that -to allow only people who possess a specific username (`editor`) -to add and edit wiki pages but we'll continue allowing anyone with access to -the server to view pages. +to allow only people who are members of a *group* named ``group:editors`` +to add and edit wiki pages but we'll continue allowing +anyone with access to the server to view pages. We will also add a login page and a logout link on all the pages. The login page will be shown when a user is denied @@ -196,8 +196,8 @@ routes: :linenos: :language: python -Adding Login and Logout Views -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Add Login and Logout Views +~~~~~~~~~~~~~~~~~~~~~~~~~~ To our ``views.py`` we'll add a ``login`` view callable which renders a login form and processes the post from the login form, checking credentials. @@ -245,8 +245,8 @@ authorized to perform. which associates it with the ``logout`` route. This makes it match when we visit ``/logout``. -Adding the ``login.pt`` Template -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Add the ``login.pt`` Template +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Create ``tutorial/tutorial/templates/login.pt`` with the following content: -- cgit v1.2.3 From 9168ec5a6b96824b35788bf7f1ab5cadb236b392 Mon Sep 17 00:00:00 2001 From: Patricio Paez Date: Sat, 7 Apr 2012 19:48:03 -0500 Subject: Ordered sections as per the summary --- docs/tutorials/wiki2/authorization.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/tutorials/wiki2') diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst index 9f2ffe9e1..dcbea2b42 100644 --- a/docs/tutorials/wiki2/authorization.rst +++ b/docs/tutorials/wiki2/authorization.rst @@ -130,8 +130,8 @@ We are now providing the ACL to the application. See the ``factory`` argument to :meth:`pyramid.config.Configurator.add_route` for more info. -Add an Authentication Policy and an Authorization Policy -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Add Authentication and Authorization Policies +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Open ``tutorial/__init__.py`` and add these import statements: -- cgit v1.2.3 From 6c3dd2f690c1a92aaf396d44f4b9450a477a67fc Mon Sep 17 00:00:00 2001 From: Patricio Paez Date: Sat, 7 Apr 2012 21:01:25 -0500 Subject: Normalize Authorization in both tutorials 2 - Sync content of Add users and groups, and Add an ACL. - Added yellow highlight to listings in Seeing our changes, added models.py --- docs/tutorials/wiki2/authorization.rst | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'docs/tutorials/wiki2') diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst index dcbea2b42..75037da5f 100644 --- a/docs/tutorials/wiki2/authorization.rst +++ b/docs/tutorials/wiki2/authorization.rst @@ -104,7 +104,7 @@ principal the `edit` permission. The ``RootFactory`` class that contains the ACL is a :term:`root factory`. We need to associate it to our :app:`Pyramid` application, so the ACL is -provided to each view as the :term:`context` of each request, as +provided to each view in the :term:`context` of the request, as the ``context`` attribute. Open ``tutorial/tutorial/__init__.py`` and add a ``root_factory`` @@ -321,6 +321,16 @@ when we're done: (Only the highlighted lines need to be added.) +Our ``tutorial/tutorial/models.py`` will look something like this +when we're done: + +.. literalinclude:: src/authorization/tutorial/models.py + :linenos: + :emphasize-lines: 1-4,35-39 + :language: python + +(Only the highlighted lines need to be added.) + Our ``tutorial/tutorial/views.py`` will look something like this when we're done: -- cgit v1.2.3 From c226b1ae080aa7d19c47626b07fe6d8ef6bbba9e Mon Sep 17 00:00:00 2001 From: Patricio Paez Date: Sun, 8 Apr 2012 07:34:21 -0500 Subject: Normalize Authorization in both tutorials 3 - Sync content in Adding Authentication and Authorization policies, Add permission declarations sections - Added mising permission=view in SQL tutorial - Moved __init__.py listing to Seeing our changes --- docs/tutorials/wiki2/authorization.rst | 18 ++++++++++++++++-- .../wiki2/src/authorization/tutorial/views.py | 6 ++++-- docs/tutorials/wiki2/src/tests/tutorial/views.py | 6 ++++-- 3 files changed, 24 insertions(+), 6 deletions(-) (limited to 'docs/tutorials/wiki2') diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst index 75037da5f..0bf50f674 100644 --- a/docs/tutorials/wiki2/authorization.rst +++ b/docs/tutorials/wiki2/authorization.rst @@ -160,7 +160,7 @@ Note that the accepts two arguments: ``secret`` and ``callback``. ``secret`` is a string representing an encryption key used by the "authentication ticket" machinery represented by this policy: it is required. The ``callback`` is the -``groupfinder()`` function the we created before. +``groupfinder()`` function that we created before. Add permission declarations ~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -180,6 +180,20 @@ decorator for ``add_page()`` and ``edit_page()``, for example: The result is that only users who possess the ``edit`` permission at the time of the request may invoke those two views. +Add a ``permission='view'`` parameter to the ``@view_config`` +decorator for ``view_wiki()`` and ``view_page()``, like this: + +.. code-block:: python + :linenos: + :emphasize-lines: 2 + + @view_config(route_name='view_page', renderer='templates/view.pt', + permission='view') + +(Only the highlighted line needs to be added.) + +This allows anyone to invoke these two views. + We are done with the changes needed to control access. The changes that follow will add the login and logout feature. @@ -336,7 +350,7 @@ when we're done: .. literalinclude:: src/authorization/tutorial/views.py :linenos: - :emphasize-lines: 11,14-18,56,59,71,74,86,89-115,117-121 + :emphasize-lines: 11,14-18,31,37,58,61,73,76,88,91-117,119-123 :language: python (Only the highlighted lines need to be added.) diff --git a/docs/tutorials/wiki2/src/authorization/tutorial/views.py b/docs/tutorials/wiki2/src/authorization/tutorial/views.py index 1453cd2e6..c7670b049 100644 --- a/docs/tutorials/wiki2/src/authorization/tutorial/views.py +++ b/docs/tutorials/wiki2/src/authorization/tutorial/views.py @@ -27,12 +27,14 @@ from .security import USERS # regular expression used to find WikiWords wikiwords = re.compile(r"\b([A-Z]\w+[A-Z]+\w+)") -@view_config(route_name='view_wiki') +@view_config(route_name='view_wiki', + permission='view') def view_wiki(request): return HTTPFound(location = request.route_url('view_page', pagename='FrontPage')) -@view_config(route_name='view_page', renderer='templates/view.pt') +@view_config(route_name='view_page', renderer='templates/view.pt', + permission='view') def view_page(request): pagename = request.matchdict['pagename'] page = DBSession.query(Page).filter_by(name=pagename).first() diff --git a/docs/tutorials/wiki2/src/tests/tutorial/views.py b/docs/tutorials/wiki2/src/tests/tutorial/views.py index 465d98ae1..f2a33af1e 100644 --- a/docs/tutorials/wiki2/src/tests/tutorial/views.py +++ b/docs/tutorials/wiki2/src/tests/tutorial/views.py @@ -27,12 +27,14 @@ from .security import USERS # regular expression used to find WikiWords wikiwords = re.compile(r"\b([A-Z]\w+[A-Z]+\w+)") -@view_config(route_name='view_wiki') +@view_config(route_name='view_wiki', + permission='view') def view_wiki(request): return HTTPFound(location = request.route_url('view_page', pagename='FrontPage')) -@view_config(route_name='view_page', renderer='templates/view.pt') +@view_config(route_name='view_page', renderer='templates/view.pt', + permission='view') def view_page(request): pagename = request.matchdict['pagename'] session = DBSession() -- cgit v1.2.3 From fad5003b4f0cba6217c23e2f3aa40bf7cb4f8200 Mon Sep 17 00:00:00 2001 From: Patricio Paez Date: Sun, 8 Apr 2012 09:13:06 -0500 Subject: Normalize Authorization in both tutorials 4 - Sync content of Add login and logout views, Add the login.pt template, Return a logged_in flag, Add a logout link sections - Normalize sections of views.py --- docs/tutorials/wiki2/authorization.rst | 39 ++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 18 deletions(-) (limited to 'docs/tutorials/wiki2') diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst index 0bf50f674..0294f8690 100644 --- a/docs/tutorials/wiki2/authorization.rst +++ b/docs/tutorials/wiki2/authorization.rst @@ -213,8 +213,8 @@ routes: Add Login and Logout Views ~~~~~~~~~~~~~~~~~~~~~~~~~~ -To our ``views.py`` we'll add a ``login`` view callable which renders a login -form and processes the post from the login form, checking credentials. +We'll add a ``login`` view which renders a login form and processes +the post from the login form, checking credentials. We'll also add a ``logout`` view callable to our application and provide a link to it. This view will clear the credentials of the @@ -240,24 +240,27 @@ expire an auth ticket cookie. Now add the ``login`` and ``logout`` views: .. literalinclude:: src/authorization/tutorial/views.py - :lines: 89-121 + :lines: 91-123 :linenos: :language: python -``login()`` is decorated with two decorators, a -``@view_config`` decorator, which associates it with the ``login`` -route and makes it visible when we visit ``/login``, -and a ``@forbidden_view_config`` decorator which turns it into -an :term:`forbidden view`. The forbidden view is -displayed whenever Pyramid or your application raises an -:class:`pyramid.httpexceptions.HTTPForbidden` exception. In this -case we'll show the login form whenever someone attempts -to execute an action which they're not yet -authorized to perform. +``login()`` is decorated with two decorators: + +- a ``@view_config`` decorator which associates it with the + ``login`` route and makes it visible when we visit ``/login``, +- a ``@forbidden_view_config`` decorator which turns it into + an :term:`forbidden view`. ``login()`` will be invoked + when a users tries to execute a view callable that + they are not allowed to. For example, if a user has not logged in + and tries to add or edit a Wiki page, he will be shown the + login form before being allowed to continue on. + +The order of these two :term:`view configuration` decorators +is unimportant. ``logout()`` is decorated with a ``@view_config`` decorator -which associates it with the ``logout`` route. This makes it match when we -visit ``/logout``. +which associates it with the ``logout`` route. It will be +invoked when we visit ``/logout``. Add the ``login.pt`` Template ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -291,12 +294,12 @@ like this: .. code-block:: python :linenos: - :emphasize-lines: 3 + :emphasize-lines: 4 return dict(page = page, content = content, - logged_in = authenticated_userid(request), - edit_url = edit_url) + edit_url = edit_url, + logged_in = authenticated_userid(request)) (Only the highlighted line needs to be added.) -- cgit v1.2.3 From 6d46a771ab8af1cd0dd61de0a99f898698c4a961 Mon Sep 17 00:00:00 2001 From: Patricio Paez Date: Sun, 8 Apr 2012 09:50:19 -0500 Subject: Final details - Normalize the Seeing our changes section - Changed import to recommended style --- docs/tutorials/wiki2/authorization.rst | 2 ++ 1 file changed, 2 insertions(+) (limited to 'docs/tutorials/wiki2') diff --git a/docs/tutorials/wiki2/authorization.rst b/docs/tutorials/wiki2/authorization.rst index 0294f8690..2ef55d15b 100644 --- a/docs/tutorials/wiki2/authorization.rst +++ b/docs/tutorials/wiki2/authorization.rst @@ -362,6 +362,7 @@ Our ``tutorial/tutorial/templates/edit.pt`` template will look something like this when we're done: .. literalinclude:: src/authorization/tutorial/templates/edit.pt + :linenos: :emphasize-lines: 41-43 :language: xml @@ -371,6 +372,7 @@ Our ``tutorial/tutorial/templates/view.pt`` template will look something like this when we're done: .. literalinclude:: src/authorization/tutorial/templates/view.pt + :linenos: :emphasize-lines: 41-43 :language: xml -- cgit v1.2.3