From c26a4a59465d95432a45f6ac0c8c55803f055832 Mon Sep 17 00:00:00 2001 From: Chris McDonough Date: Wed, 23 Jun 2010 14:24:54 +0000 Subject: do an indirection through a group at the behest of alex marandon --- docs/tutorials/bfgwiki/authorization.rst | 52 ++++++++++++++++------ docs/tutorials/bfgwiki/basiclayout.rst | 2 +- docs/tutorials/bfgwiki/definingmodels.rst | 2 +- docs/tutorials/bfgwiki/definingviews.rst | 2 +- docs/tutorials/bfgwiki/index.rst | 2 +- .../src/authorization/tutorial/configure.zcml | 1 + .../bfgwiki/src/authorization/tutorial/login.py | 8 ++-- .../bfgwiki/src/authorization/tutorial/models.py | 2 +- .../bfgwiki/src/authorization/tutorial/security.py | 2 +- 9 files changed, 50 insertions(+), 23 deletions(-) (limited to 'docs/tutorials') diff --git a/docs/tutorials/bfgwiki/authorization.rst b/docs/tutorials/bfgwiki/authorization.rst index 8c2ab1df9..8ae3c079d 100644 --- a/docs/tutorials/bfgwiki/authorization.rst +++ b/docs/tutorials/bfgwiki/authorization.rst @@ -4,15 +4,15 @@ Adding Authorization Our application currently allows anyone with access to the server to view, edit, and add pages to our wiki. For purposes of demonstration -we'll change our application to allow people whom possess a specific -username (`editor`) to add and edit wiki pages but we'll continue -allowing anyone with access to the server to view pages. +we'll change our application to allow people whom are members of a +*group* named ``group:editors`` to add and edit wiki pages but we'll +continue allowing anyone with access to the server to view pages. :mod:`repoze.bfg` provides facilities for *authorization* and *authentication*. We'll make use of both features to provide security to our application. The source code for this tutorial stage can be browsed at -`docs.repoze.org `_. +`docs.repoze.org `_. Configuring a ``repoze.bfg`` Authentication Policy -------------------------------------------------- @@ -37,6 +37,13 @@ invocation can not be authorized. When you're done, your :linenos: :language: xml +Note that the ``authtktauthenticationpolicy`` tag has two attributes: +``secret`` and ``callback``. ``secret`` is a string representing an +encryption key used by the "authentication ticket" machinery +represented by this policy: it is required. The ``callback`` is a +string, representing a :term:`Python dotted name`, which points at the +``groupfinder`` function in the current directory's ``security.py`` +file. We haven't added that module yet, but we're about to. Adding ``security.py`` ~~~~~~~~~~~~~~~~~~~~~~ @@ -54,8 +61,12 @@ The ``groupfinder`` function defined here is an authorization policy the userid exists in the set of users known by the system, the callback will return a sequence of group identifiers (or an empty sequence if the user isn't a member of any groups). If the userid -*does not* exist in the system, the callback will return ``None``. -We'll use "dummy" data to represent user and groups sources. +*does not* exist in the system, the callback will return ``None``. In +a production system this data will most often come from a database, +but here we use "dummy" data to represent user and groups +sources. Note that the ``editor`` user is a member of the +``group:editors`` group in our dummy group data (the ``GROUPS`` data +structure). Adding Login and Logout Views ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -153,7 +164,8 @@ class scope to our ``Wiki`` class: .. code-block:: python :linenos: - __acl__ = [ (Allow, Everyone, 'view'), (Allow, 'editor', 'edit') ] + __acl__ = [ (Allow, Everyone, 'view'), + (Allow, 'group:editors', 'edit') ] It's only happenstance that we're assigning this ACL at class scope. An ACL can be attached to an object *instance* too; this is how "row @@ -195,16 +207,30 @@ pass a ``permission`` argument to each of our - We add ``permission='edit'`` to the decorator attached to the ``add_page`` view function. This makes the assertion that only users who possess the effective ``view`` permission at the time of - the request may invoke this view. We've granted the``editor`` - principal the view permission at the root model via its ACL, so only - the user named ``editor`` will able to invoke the ``add_page`` view. + the request may invoke this view. We've granted the + ``group:editors`` principal the view permission at the root model + via its ACL, so only the a user whom is a member of the group named + ``group:editors`` will able to invoke the ``add_page`` view. We've + likewise given the ``editor`` user membership to this group via thes + ``security.py`` file by mapping him to the ``group:editors`` group + in the ``GROUPS`` data structure (``GROUPS = + {'editor':['group:editors']}``); the ``groupfinder`` function + consults the ``GROUPS`` data structure. This means that the + ``editor`` user can add pages. - We add ``permission='edit'`` to the ``bfg_view`` decorator attached to the ``edit_page`` view function. This makes the assertion that only users who possess the effective ``view`` permission at the time - of the request may invoke this view. We've granted ``editor`` the - view permission at the root model via its ACL, so only the user - named ``editor`` will able to invoke the ``edit_page`` view. + of the request may invoke this view. We've granted the + ``group:editors`` principal the view permission at the root model + via its ACL, so only the a user whom is a member of the group named + ``group:editors`` will able to invoke the ``edit_page`` view. We've + likewise given the ``editor`` user membership to this group via thes + ``security.py`` file by mapping him to the ``group:editors`` group + in the ``GROUPS`` data structure (``GROUPS = + {'editor':['group:editors']}``); the ``groupfinder`` function + consults the ``GROUPS`` data structure. This means that the + ``editor`` user can edit pages. Viewing the Application in a Browser ------------------------------------ diff --git a/docs/tutorials/bfgwiki/basiclayout.rst b/docs/tutorials/bfgwiki/basiclayout.rst index 27e59880a..bbfab7247 100644 --- a/docs/tutorials/bfgwiki/basiclayout.rst +++ b/docs/tutorials/bfgwiki/basiclayout.rst @@ -8,7 +8,7 @@ to most :term:`traversal` -based :mod:`repoze.bfg` (and :term:`ZODB` based) projects. The source code for this tutorial stage can be browsed at -`docs.repoze.org `_. +`docs.repoze.org `_. ``__init__.py`` --------------- diff --git a/docs/tutorials/bfgwiki/definingmodels.rst b/docs/tutorials/bfgwiki/definingmodels.rst index 475e35442..1edb9c2c2 100644 --- a/docs/tutorials/bfgwiki/definingmodels.rst +++ b/docs/tutorials/bfgwiki/definingmodels.rst @@ -12,7 +12,7 @@ container for "Page" objects, which will be instances of the "Page" class. The source code for this tutorial stage can be browsed at -`docs.repoze.org `_. +`docs.repoze.org `_. Deleting the Database --------------------- diff --git a/docs/tutorials/bfgwiki/definingviews.rst b/docs/tutorials/bfgwiki/definingviews.rst index 72101d258..ecd0bc8fc 100644 --- a/docs/tutorials/bfgwiki/definingviews.rst +++ b/docs/tutorials/bfgwiki/definingviews.rst @@ -26,7 +26,7 @@ wire them into :mod:`repoze.bfg` using some :term:`view configuration` via :term:`ZCML`. The source code for this tutorial stage can be browsed at -`docs.repoze.org `_. +`docs.repoze.org `_. Adding View Functions ===================== diff --git a/docs/tutorials/bfgwiki/index.rst b/docs/tutorials/bfgwiki/index.rst index 3ba79b714..2e5318e74 100644 --- a/docs/tutorials/bfgwiki/index.rst +++ b/docs/tutorials/bfgwiki/index.rst @@ -10,7 +10,7 @@ with authentication. For cut and paste purposes, the source code for all stages of this tutorial can be browsed at `docs.repoze.org -`_. +`_. .. toctree:: :maxdepth: 2 diff --git a/docs/tutorials/bfgwiki/src/authorization/tutorial/configure.zcml b/docs/tutorials/bfgwiki/src/authorization/tutorial/configure.zcml index 5297b9ee3..50b68ef35 100644 --- a/docs/tutorials/bfgwiki/src/authorization/tutorial/configure.zcml +++ b/docs/tutorials/bfgwiki/src/authorization/tutorial/configure.zcml @@ -12,6 +12,7 @@ diff --git a/docs/tutorials/bfgwiki/src/authorization/tutorial/login.py b/docs/tutorials/bfgwiki/src/authorization/tutorial/login.py index 08b3db359..8620dc705 100644 --- a/docs/tutorials/bfgwiki/src/authorization/tutorial/login.py +++ b/docs/tutorials/bfgwiki/src/authorization/tutorial/login.py @@ -10,8 +10,8 @@ from tutorial.models import Wiki from tutorial.security import USERS @bfg_view(context=Wiki, name='login', renderer='templates/login.pt') -def login(context, request): - login_url = model_url(context, request, 'login') +def login(request): + login_url = model_url(request.context, request, 'login') referrer = request.url if referrer == login_url: referrer = '/' # never use the login form itself as came_from @@ -37,8 +37,8 @@ def login(context, request): ) @bfg_view(context=Wiki, name='logout') -def logout(context, request): +def logout(request): headers = forget(request) - return HTTPFound(location = model_url(context, request), + return HTTPFound(location = model_url(request.context, request), headers = headers) diff --git a/docs/tutorials/bfgwiki/src/authorization/tutorial/models.py b/docs/tutorials/bfgwiki/src/authorization/tutorial/models.py index 976f5e3e9..08e1da7e4 100644 --- a/docs/tutorials/bfgwiki/src/authorization/tutorial/models.py +++ b/docs/tutorials/bfgwiki/src/authorization/tutorial/models.py @@ -7,7 +7,7 @@ from repoze.bfg.security import Everyone class Wiki(PersistentMapping): __name__ = None __parent__ = None - __acl__ = [ (Allow, Everyone, 'view'), (Allow, 'editor', 'edit') ] + __acl__ = [ (Allow, Everyone, 'view'), (Allow, 'group:editors', 'edit') ] class Page(Persistent): def __init__(self, data): diff --git a/docs/tutorials/bfgwiki/src/authorization/tutorial/security.py b/docs/tutorials/bfgwiki/src/authorization/tutorial/security.py index 791367183..cfd13071e 100644 --- a/docs/tutorials/bfgwiki/src/authorization/tutorial/security.py +++ b/docs/tutorials/bfgwiki/src/authorization/tutorial/security.py @@ -1,6 +1,6 @@ USERS = {'editor':'editor', 'viewer':'viewer'} -GROUPS = {'editor':['group.editors']} +GROUPS = {'editor':['group:editors']} def groupfinder(userid, request): if userid in USERS: -- cgit v1.2.3