Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Dynamic user based authorization in Pyramid

I'm following security guidelines found on Pyramid docs along with wiki tutorial Adding Authorization

Now I need to add restrictions based un single user rather than groups.

Let's say for example that, if any blog editor can have permission to review all comments, only post author can edit the post itself.

For the first task I will have in my Root ACL like this:

__acl__ = [ (Allow, Everyone, 'view'),
            (Allow, Authenticated, 'view_profile'),
            (Allow, 'groups:editor', 'edit_comment')
]

but whay about for edit_post?

I've read this answer but seems overkill to me for my needs since I don't need to build a resource tree.

like image 680
neurino Avatar asked Jul 05 '11 15:07

neurino


1 Answers

You already have a "Resource Tree" by creating the Root resource in your project. You just need to add a node on it for posts that will return a Post object with a particular __acl__ that contains only the authorized user id. You can then have your edit_posts route use traverse='/posts/{post_id}' to traverse your resource tree to the Post object with the __acl__ on it.

This isn't difficult, and is the way to have Pyramid do this stuff for you.

If you don't want to use the permission argument you can do the authorization inside of the view itself, like Kirk suggested.

Also, if you don't like this method of adding __acl__ properties and traversal for authorization, you can implement your own AuthorizationPolicy to do what you'd like it to do with a given list of principals and a permission.

The point of Pyramid's auth system is that it's there, which is great. Pyramid by no means requires you to use it and for views that don't use it, there is no performance impact of dealing with it.

like image 96
Michael Merickel Avatar answered Nov 08 '22 07:11

Michael Merickel