I'm following security guidelines found on Pyramid docs along with wiki tutorial Adding Authorization
Now I need to add restrictions based un single user rather than groups.
Let's say for example that, if any blog editor can have permission to review all comments, only post author can edit the post itself.
For the first task I will have in my Root ACL like this:
__acl__ = [ (Allow, Everyone, 'view'),
(Allow, Authenticated, 'view_profile'),
(Allow, 'groups:editor', 'edit_comment')
]
but whay about for edit_post
?
I've read this answer but seems overkill to me for my needs since I don't need to build a resource tree.
You already have a "Resource Tree" by creating the Root
resource in your project. You just need to add a node on it for posts
that will return a Post
object with a particular __acl__
that contains only the authorized user id. You can then have your edit_posts
route use traverse='/posts/{post_id}'
to traverse your resource tree to the Post
object with the __acl__
on it.
This isn't difficult, and is the way to have Pyramid do this stuff for you.
If you don't want to use the permission
argument you can do the authorization inside of the view itself, like Kirk suggested.
Also, if you don't like this method of adding __acl__
properties and traversal for authorization, you can implement your own AuthorizationPolicy
to do what you'd like it to do with a given list of principals and a permission.
The point of Pyramid's auth system is that it's there, which is great. Pyramid by no means requires you to use it and for views that don't use it, there is no performance impact of dealing with it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With