Pyramid 中基于动态用户的授权
我遵循在 Pyramid 文档上找到的安全准则以及维基教程 添加授权
现在我需要添加基于单个用户而不是组的限制。
举例来说,如果任何博客编辑都有权查看所有评论,则只有帖子作者可以编辑帖子本身。
对于第一个任务,我的根 ACL 中将有这样的内容:
__acl__ = [ (Allow, Everyone, 'view'),
(Allow, Authenticated, 'view_profile'),
(Allow, 'groups:editor', 'edit_comment')
]
但是 edit_post 呢?
我已阅读这个答案,但对我来说似乎对我的需求来说太过分了,因为我不'不需要构建资源树。
I'm following security guidelines found on Pyramid docs along with wiki tutorial Adding Authorization
Now I need to add restrictions based un single user rather than groups.
Let's say for example that, if any blog editor can have permission to review all comments, only post author can edit the post itself.
For the first task I will have in my Root ACL like this:
__acl__ = [ (Allow, Everyone, 'view'),
(Allow, Authenticated, 'view_profile'),
(Allow, 'groups:editor', 'edit_comment')
]
but whay about for edit_post?
I've read this answer but seems overkill to me for my needs since I don't need to build a resource tree.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
通过在项目中创建
Root资源,您已经拥有了一个“资源树”。您只需在其上为posts添加一个节点,该节点将返回一个带有特定__acl__的Post对象,该对象仅包含授权用户 ID。然后,您可以让edit_posts路由使用traverse='/posts/{post_id}'来遍历资源树到Post对象,其中__acl__就可以了。这并不困难,并且是让 Pyramid 为您做这些事情的方法。
如果您不想使用
permission参数,您可以在视图本身内部进行授权,就像柯克建议的那样。另外,如果您不喜欢这种添加
__acl__属性和遍历授权的方法,您可以实现自己的AuthorizationPolicy来执行您想要的操作给定的主体列表和权限。Pyramid 的身份验证系统的要点在于它的存在,这很棒。 Pyramid 绝不要求您使用它,对于不使用它的视图,处理它不会对性能产生影响。
You already have a "Resource Tree" by creating the
Rootresource in your project. You just need to add a node on it forpoststhat will return aPostobject with a particular__acl__that contains only the authorized user id. You can then have youredit_postsroute usetraverse='/posts/{post_id}'to traverse your resource tree to thePostobject with the__acl__on it.This isn't difficult, and is the way to have Pyramid do this stuff for you.
If you don't want to use the
permissionargument you can do the authorization inside of the view itself, like Kirk suggested.Also, if you don't like this method of adding
__acl__properties and traversal for authorization, you can implement your ownAuthorizationPolicyto do what you'd like it to do with a given list of principals and a permission.The point of Pyramid's auth system is that it's there, which is great. Pyramid by no means requires you to use it and for views that don't use it, there is no performance impact of dealing with it.
你可能把这件事搞得太复杂了。首先,如果访问者是帖子的作者,则仅显示指向
edit_post视图的链接。通过让不应该看到它的人看不到该视图,可以解决 99% 的问题。对于另外 1% - 聪明的用户手动编辑 URL 以直接访问编辑视图 - 添加如下内容:You might be making this too complicated. First, only show a link to the
edit_postview if the visitor is the post's author. That will handle 99% of the problem by making that view invisible to people who shouldn't see it. For the other 1% - clever users hand-editing the URL to directly access the editing view - add something like this: