-
-
Save iruwl/cd011f7d3131aeae8615a14554c52bd3 to your computer and use it in GitHub Desktop.
Basic Auth in Pyramid with simple ACLs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pyramid.authentication import BasicAuthAuthenticationPolicy | |
| from pyramid.authorization import ACLAuthorizationPolicy | |
| from pyramid.config import Configurator | |
| from pyramid.httpexceptions import HTTPForbidden | |
| from pyramid.httpexceptions import HTTPUnauthorized | |
| from pyramid.security import ALL_PERMISSIONS | |
| from pyramid.security import Allow | |
| from pyramid.security import Authenticated | |
| from pyramid.security import forget | |
| from pyramid.view import forbidden_view_config | |
| from pyramid.view import view_config | |
| @view_config(route_name='home', renderer='json', permission='view') | |
| def home_view(request): | |
| return { | |
| 'page': 'home', | |
| 'userid': request.authenticated_userid, | |
| 'principals': request.effective_principals, | |
| 'context_type': str(type(request.context)), | |
| } | |
| @forbidden_view_config() | |
| def forbidden_view(request): | |
| if request.authenticated_userid is None: | |
| response = HTTPUnauthorized() | |
| response.headers.update(forget(request)) | |
| # user is logged in but doesn't have permissions, reject wholesale | |
| else: | |
| response = HTTPForbidden() | |
| return response | |
| def check_credentials(username, password, request): | |
| if username == 'admin' and password == 'admin': | |
| # an empty list is enough to indicate logged-in... watch how this | |
| # affects the principals returned in the home view if you want to | |
| # expand ACLs later | |
| return [] | |
| class Root: | |
| # dead simple, give everyone who is logged in any permission | |
| # (see the home_view for an example permission) | |
| __acl__ = ( | |
| (Allow, Authenticated, ALL_PERMISSIONS), | |
| ) | |
| def main(global_conf, **settings): | |
| config = Configurator(settings=settings) | |
| authn_policy = BasicAuthAuthenticationPolicy(check_credentials) | |
| config.set_authentication_policy(authn_policy) | |
| config.set_authorization_policy(ACLAuthorizationPolicy()) | |
| config.set_root_factory(lambda request: Root()) | |
| config.add_route('home', '/') | |
| config.scan(__name__) | |
| return config.make_wsgi_app() | |
| if __name__ == '__main__': | |
| from waitress import serve | |
| app = main({}) | |
| serve(app, listen='localhost:8000') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment