TurboGears – Authorization & Authentication


Advertisements


A TurboGears application is created by quickstart and setup-app options of the gearbox toolkit, which has the authorization and authentication support enabled by default. The models declared in auth.py are set up and initialized as per values assigned in bootstrap.py.

The following models are declared in auth.py −

User Model

The User model contains the design of a tg_user table. This table is used by the repose.who package. This repose.who package is a powerful as well as an extensible authentication library for WSGI applications. The structure of a user model is as follows −

class User(DeclarativeBase):

"""
   __tablename__ = 'tg_user'
   
   user_id = Column(Integer, autoincrement = True, primary_key=True)
   user_name = Column(Unicode(16), unique = True, nullable = False)
   email_address = Column(Unicode(255), unique = True,nullable=False)
                                             
   display_name = Column(Unicode(255))
   _password = Column('password', Unicode(128))
   created = Column(DateTime, default = datetime.now)

This group model contains the definition tg_group table. Its definition is given in auth.py as follows −

class Group(DeclarativeBase):
   __tablename__ = 'tg_group'
   
   group_id = Column(Integer, autoincrement = True,primary_key = True)
   group_name = Column(Unicode(16),unique = True,nullable = False)
   display_name = Column(Unicode(255))
   created = Column(DateTime, default = datetime.now)

Another model permission is also set up, which contains permission definition.

class Permission(DeclarativeBase):
   __tablename__ = 'tg_permission'
   
   permission_id = Column(Integer,autoincrement = True,primary_key = True)
   permission_name = Column(Unicode(63), unique = True, nullable = False)
   description = Column(Unicode(255))

At the time of setting up models, the following data is added in these tables −

u = model.User()
u.user_name = 'manager'
u.display_name = 'Example manager'
u.email_address = 'manager@somedomain.com'
u.password = 'managepass'

model.DBSession.add(u)
g = model.Group()
g.group_name = 'managers'
g.display_name = 'Managers Group'
g.users.append(u)

model.DBSession.add(g)
p = model.Permission()
p.permission_name = 'manage'
p.description = 'This permission gives an administrative right'
p.groups.append(g)

model.DBSession.add(p)
u1 = model.User()
u1.user_name = 'editor'
u1.display_name = 'Example editor'
u1.email_address = 'editor@somedomain.com'
u1.password = 'editpass'

model.DBSession.add(u1)

Predicate Model

The predicates module in tg package contains definitions for predicate checkers. A predicate is a condition that must be met for the user to be able to access the requested source. Such a predicate, or condition, may be made up of more predicates – those are called compound predicates. Action controllers, or controllers, may have only one predicate, be it single or compound.

If a user is not logged in, or does not have the proper permissions, this predicate checker throws a 401 (HTTP Unauthorized), which is caught by the repoze.who middleware to display the login page allowing the user to login, and redirecting the user back to the proper page when they are done.

The different conditions or predicates defined in tg.predicates module are −

S.No tg.predicates module & Description
1

All

Check if all predicates specified are met

2

Any

Check if at least one of specified predicates are met

3

is_user

Check that the authenticated user's username is the specified one

4

in_group

Check that the user belongs to the specific group.

5

in_all_groups

Check that the user belongs to all of the specified groups.

6

in_any_group

Check that the user belongs to at least one of the specified groups.

7

is_anonymous

Check that the current user is anonymous.

8

has_permission

Check that the current user has the specified permission.

9

has_all_permissions

Check that the current user has been granted all of the specified permissions.

10

has_any_permission

Check that the user has at least one of the specified permissions.

For example, if you have a predicate, which is grant access user belonging to customers group, then you can use the following built-in predicate checker −

from tg.predicates import in_group
p in_group(‘customers’)

The following predicate checker will grant access to ‘root’ user or anybody with ‘manage’ permission −

from tg.predicates import Any, is_user, has_permission
p = Any(is_user('root'), has_permission('manage'), 
   sg = 'Only administrators can remove blog posts')


Advertisements
E-Books Store