TurboGears – Authorization & Authentication
A TurboGears application is created by quickstart and setup-app options of the gearbox toolkit, which has the authorization and authentication support enabled by default. The models declared in auth.py are set up and initialized as per values assigned in bootstrap.py.
The following models are declared in auth.py −
The User model contains the design of a tg_user table. This table is used by the repose.who package. This repose.who package is a powerful as well as an extensible authentication library for WSGI applications. The structure of a user model is as follows −
class User(DeclarativeBase): """ __tablename__ = 'tg_user' user_id = Column(Integer, autoincrement = True, primary_key=True) user_name = Column(Unicode(16), unique = True, nullable = False) email_address = Column(Unicode(255), unique = True,nullable=False) display_name = Column(Unicode(255)) _password = Column('password', Unicode(128)) created = Column(DateTime, default = datetime.now)
This group model contains the definition tg_group table. Its definition is given in auth.py as follows −
class Group(DeclarativeBase): __tablename__ = 'tg_group' group_id = Column(Integer, autoincrement = True,primary_key = True) group_name = Column(Unicode(16),unique = True,nullable = False) display_name = Column(Unicode(255)) created = Column(DateTime, default = datetime.now)
Another model permission is also set up, which contains permission definition.
class Permission(DeclarativeBase): __tablename__ = 'tg_permission' permission_id = Column(Integer,autoincrement = True,primary_key = True) permission_name = Column(Unicode(63), unique = True, nullable = False) description = Column(Unicode(255))
At the time of setting up models, the following data is added in these tables −
u = model.User() u.user_name = 'manager' u.display_name = 'Example manager' u.email_address = 'email@example.com' u.password = 'managepass' model.DBSession.add(u) g = model.Group() g.group_name = 'managers' g.display_name = 'Managers Group' g.users.append(u) model.DBSession.add(g) p = model.Permission() p.permission_name = 'manage' p.description = 'This permission gives an administrative right' p.groups.append(g) model.DBSession.add(p) u1 = model.User() u1.user_name = 'editor' u1.display_name = 'Example editor' u1.email_address = 'firstname.lastname@example.org' u1.password = 'editpass' model.DBSession.add(u1)
The predicates module in tg package contains definitions for predicate checkers. A predicate is a condition that must be met for the user to be able to access the requested source. Such a predicate, or condition, may be made up of more predicates – those are called compound predicates. Action controllers, or controllers, may have only one predicate, be it single or compound.
If a user is not logged in, or does not have the proper permissions, this predicate checker throws a 401 (HTTP Unauthorized), which is caught by the repoze.who middleware to display the login page allowing the user to login, and redirecting the user back to the proper page when they are done.
The different conditions or predicates defined in tg.predicates module are −
|Sr.No.||tg.predicates module & Description|
Check if all predicates specified are met
Check if at least one of specified predicates are met
Check that the authenticated user's username is the specified one
Check that the user belongs to the specific group.
Check that the user belongs to all of the specified groups.
Check that the user belongs to at least one of the specified groups.
Check that the current user is anonymous.
Check that the current user has the specified permission.
Check that the current user has been granted all of the specified permissions.
Check that the user has at least one of the specified permissions.
For example, if you have a predicate, which is grant access user belonging to customers group, then you can use the following built-in predicate checker −
from tg.predicates import in_group p in_group(‘customers’)
The following predicate checker will grant access to ‘root’ user or anybody with ‘manage’ permission −
from tg.predicates import Any, is_user, has_permission p = Any(is_user('root'), has_permission('manage'), sg = 'Only administrators can remove blog posts')