Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Changes between Version 30 and Version 31 of IdentityManagement


Ignore:
Timestamp:
04/02/06 22:32:06 (13 years ago)
Author:
fredlin
Comment:

re-organize extend area

Legend:

Unmodified
Added
Removed
Modified
  • IdentityManagement

    v30 v31  
    5959}}} 
    6060 
     61The require decorator checked whether the visitor was a member of the   
     62admin group AND had the permission foo AND had the permission bar. 
     63 
    6164Let's visit the http://localhost:8080/, now the index page is protected. 
    6265 
    63 Note: You may need to revise the above code for the @identity.require decorator. In a [http://groups.google.com/group/turbogears/browse_thread/thread/8dc90943e2cce3ce/42de9e3ae86f7aaf?q=identity&rnum=1#42de9e3ae86f7aaf recent mailing list post], Jeff Watkins writes the most of usages.(see the end of the post)  
     66Note: You may need to revise the above code for the @identity.require decorator. In a [http://groups.google.com/group/turbogears/browse_thread/thread/8dc90943e2cce3ce/42de9e3ae86f7aaf?q=identity&rnum=1#42de9e3ae86f7aaf mailing list], Jeff Watkins writes the most of usages.(see the end of the post)  
    6467 
    6568=== Step 5 - Create a user and group === 
     
    110113 
    111114 
    112 === Extend - protect your sub-directory === 
    113  
    114 To turn on identity login for an entire controller(restrict access to whole subdirectory), you should be able to derive from identity.SecureResource and define a require attribute at the class level.  
    115  
    116 {{{ 
    117 #!python 
    118 class MySecureController( turbogears.Controller,   
    119 identity.SecureResource ): 
     115== Extend == 
     116 
     117=== Strict the group Access === 
     118 
     119There are three ways to Strict the group Access: 
     120 
     121'''1''' Protect your sub-directory  
     122 
     123To turn on identity login for an entire controller(restrict access to whole subdirectory), you should be able to derive your Controller from identity.SecureResource and define a require attribute at the class level. 
     124 
     125{{{ 
     126#!python 
     127class MySecureController( turbogears.Controller,  identity.SecureResource ): 
    120128        require= identity.in_group( "admin" ) 
    121129 
     
    125133You can apply whatever decorators you want on the methods of the Toxicologia instance. So each method could have additional restrictions. And Toxicologia could have SecureObjects as well. However, access to exposed methods of Toxicologia and any SecureObjects would have to satisfy the authorisation requirements for Toxicologia. 
    126134 
    127 ---- 
    128  
    129 = Following contents haven't been re-processed yet = 
    130  
    131  
    132 == Specifying an 'or' type for group Access == 
    133  
    134 There are two ways to handle this: 
    135  
    136 '''1''' Derive your Controller from SecureResource (in addition to Controller) and check the permissions explicitly. For example: 
     135'''2''' Check the permissions explicitly 
     136 
     137Derive your Controller from identity.SecureResource and define a require attribute at the method level 
     138 
    137139{{{ 
    138140#!python 
     
    145147             raise identity.GroupMembershipRequiredException( ("admin", "super") ) 
    146148}}} 
    147  
    148149This will work because SecureResource wraps all exposed methods with code that checks permissions and traps IdentityExceptions. So if your code throws, er, raises an IdentityException, everything will be handled correctly. 
    149150 
    150151Of course, you can then pull your authorisation logic out into a function that you call rather than copying and pasting into each function that requires it. 
    151152 
    152 '''2''' Write your own decorator function. This is not for the faint at heart. But it gives you absolute flexibility. Take a look at the two decorators in turbogears/identity/conditions.py. They'll give you a head-start on what you'll have to do. 
    153  
    154 ---- 
    155  
    156 == Identity and Kid templates == 
     153'''3''' Write your own decorator function. This is not for the faint at heart. But it gives you absolute flexibility. Take a look at the two decorators in turbogears/identity/conditions.py. They'll give you a head-start on what you'll have to do. 
     154 
     155---- 
     156 
     157 
     158=== Identity and Kid templates === 
    157159In addition to restricting access to methods in controller files, identity checks can also be used to limit what links(or any other element, for that matter) show up in kid templates. This is done using py:if="" statements, like so: 
    158160{{{ 
     
    170172and omit the "turbogears" part of the py:if statement. 
    171173---- 
     174 
     175 
     176 
     177=== Use different classes === 
     178You can use your own class on Identity Management. 
     179 
     180'''1''' Create SQL tables   
     181 
     182Run the application as Step 3. All TG_* tables will be created 
     183 
     184'''2''' Edit project_name/config/app.cfg,  
     185 
     186Edit app.cfg, remove the comments from "identity.soprovider" lines.  
     187 
     188{{{ 
     189#!python 
     190# The classes you wish to use for your Identity model. Leave these commented out 
     191# to use the default classes for SqlObjectIdentityProvider. Or set them to the 
     192# classes in your model. NOTE: These aren't TG_* because the TG prefix is 
     193# reserved for classes created by TurboGears. 
     194identity.soprovider.model.user="project_name.model.User" 
     195identity.soprovider.model.group="project_name.model.Group" 
     196identity.soprovider.model.permission="project_name.model.Permission" 
     197}}} 
     198 
     199Change model."User", "Group", "Permission" to whatever you prefer.  
     200 
     201'''3''' Run the application  
     202 
     203Run the application again as in Step 3. Then you can use your classes to manipulate TurboGear Identity Management. 
     204 
     205 * refer [http://groups.google.com/group/turbogears/browse_thread/thread/37fc2c8a1a2155ed/be061d37b3f1ba4c#be061d37b3f1ba4c mailing list] 
     206 
     207---- 
     208 
     209= Following contents haven't been re-processed yet = 
     210 
     211 
    172212=== Applying security settings, not from source code, but from configuration data === 
    173213 
     
    263303 
    264304 
    265  
    266  
    267305  '''TurboGears identity management architecture was originally from [http://metrocat.org/nerd/2005/10/identity-management-for-turbogears Jeff Watkins' blog].'''