使用金字塔进行金字塔认证
在金字塔文档中,Sqlalchemy Dispatch 教程使用 security.py 中的虚拟数据。我需要使用 mysql 数据,所以我像这样实现它:
我的登录代码
@view_config(route_name='login', renderer='json',permission='view')
def user_login(request):
session = DBSession
username = request.params['username']
password = request.params['password']
sha = hashlib.md5()
sha.update(password)
password = sha.digest().encode('hex')
user = session.query(Users).filter(and_(Users.username==username,Users.password ==password)).count()
if(user != 0):
headers = remember(request, username)
return HTTPFound(location = '/index/',
headers =headers)
else:
print "error"
上面的内容使系统记住将在 security.py 中使用的用户名。下面,我用它来获取用户所在的组。
from .models import (
DBSession,
Users,
)
def groupfinder(userid, request):
session = DBSession()
for instance in session.query(Users).filter(Users.username==userid):
group = 'group:'+instance.group
lsth = {'userid':[group]}
return lsth.get ('userid')
这是使用金字塔授权的最佳方式吗?
In the pyramid documentation, the Sqlalchemy Dispatch Tutorial uses dummy data in security.py. I needed to use mysql data so I implemented it like this:
My Login Code
@view_config(route_name='login', renderer='json',permission='view')
def user_login(request):
session = DBSession
username = request.params['username']
password = request.params['password']
sha = hashlib.md5()
sha.update(password)
password = sha.digest().encode('hex')
user = session.query(Users).filter(and_(Users.username==username,Users.password ==password)).count()
if(user != 0):
headers = remember(request, username)
return HTTPFound(location = '/index/',
headers =headers)
else:
print "error"
The above makes the system remember username that will be used in security.py. Below, I use this to get the group the user is in.
from .models import (
DBSession,
Users,
)
def groupfinder(userid, request):
session = DBSession()
for instance in session.query(Users).filter(Users.username==userid):
group = 'group:'+instance.group
lsth = {'userid':[group]}
return lsth.get ('userid')
Is this the best way to use pyramid authorization?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你的想法是对的。
您的群组查找器现在坏了。请注意,您有一个内部带有 return 语句的 for 循环。如果用户有效,groupfinder 应至少返回一个空列表
[]。仅当用户无效时才返回None。而且现在密码的 md5 也很糟糕。查看 crypto 或 passlib 库,以代替通过 bcrypt 执行加密哈希。
You have the idea right.
Your groupfinder is broken right now. Notice you have a for-loop with a return statement inside. The groupfinder should return at least an empty list
[]if the user is valid. Only returnNoneif the user is invalid.Also an md5 of the password is pretty crappy these days. Look at the cryptacular or passlib libraries for performing a cryptographic hash instead via bcrypt.