Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Changes between Version 7 and Version 8 of IdentityManagement


Ignore:
Timestamp:
11/26/05 08:42:44 (14 years ago)
Author:
Richard (koorb)
Comment:

tidy up

Legend:

Unmodified
Added
Removed
Modified
  • IdentityManagement

    v7 v8  
    11= Identity Management = 
    22 
    3  
    43  '''This was ripped from [http://metrocat.org/nerd/2005/10/identity-management-for-turbogears Jeff Watkins' blog].''' 
    54 
    65  ...with a little changes to play nice with latest svn [as of 6th Nov 2005] 
    76 
    8  
    97I just committed the code for the TurboGears identity management support (revision 89). And because this is such new code, I thought it might be helpful to include a short How To for getting everything up and running. 
    108 
    119This How To is written from the perspective of a fresh quick-started project, but most everything applies for existing projects. 
    1210 
    13 ---- 
    14 '''Step 1''' Create new project (idtest). Set dburi. 
    15 ---- 
    16 '''Step 2''' Edit idtest.egg-info/sqlobject.txt 
     11== Quick start example == 
     12 
     13=== Step 1 - Create new project ===  
     14{{{ 
     15#!python 
     16$ tg-admin quickstart  
     17}}} 
     18Name your project idtest and set the dburi in dev.cfg to point to a server and database you want to use. 
     19 
     20=== Step 2 - Edit idtest.egg-info/sqlobject.txt === 
    1721{{{ 
    1822#!python 
    1923db_module=idtest.model,  turbogears.identity.model.somodel 
    2024}}} 
    21 ---- 
    22 '''Step 3''' Create login.kid 
     25 
     26=== Step 3 - Create login.kid template === 
    2327{{{ 
    2428#!text/html 
     
    5054    </html> 
    5155}}} 
    52 '''Step 4''' Create secured.kid 
     56 
     57=== Step 4 - Create secured.kid template === 
    5358{{{ 
    5459#!text/html 
     
    7176</html> 
    7277}}} 
    73 ---- 
    74 '''Step 5''' Add to the top of controllers.py: 
     78 
     79=== Step 5 - edit controllers.py === 
     80Ad this code to the top of the file: 
    7581{{{ 
    7682#!python 
     
    7884import cherrypy 
    7985}}} 
    80 and to the model class: 
     86 
     87Then add this inside the model class: 
     88 
    8189{{{ 
    8290#!python 
     
    97105    return dict() 
    98106}}} 
    99 ---- 
    100 '''Step 6''' Turn on Identity management and configure failure url in dev.cfg 
     107 
     108=== Step 6 - Turn on Identity management === 
     109Edit dev.cfg and to turn on identity management and set the failure url in dev.cfg 
    101110{{{ 
    102111[global] 
     
    104113identity.failure_url="/login" 
    105114}}} 
    106 ---- 
    107 '''Step 7''' Create the database 
    108 {{{ 
    109 tg-admin sql create 
    110 }}} 
    111 ---- 
    112 '''Step 8''' Create a user and group 
    113 {{{ 
    114 tg-admin shell 
     115 
     116=== Step 7 - Create the database === 
     117{{{ 
     118$ tg-admin sql create 
     119}}} 
     120 
     121=== Step 8 - Create a user and group === 
     122{{{ 
     123$ tg-admin shell 
    115124 
    116125Python 2.4.1 (#2, Mar 31 2005, 00:05:10)  
     
    126135>>> 
    127136}}} 
    128 ---- 
    129 '''Step 9''' Start project and visit secured page and login. Should fail with message: 
     137 
     138=== Step 9 - Testing the login === 
     139Start the project: 
     140{{{ 
     141#!python 
     142$ ./idtest-start.py 
     143}}} 
     144 
     145and visit secured page http://localhost:8080/secured and login with the username and password you just created. It should fail with the message: 
    130146{{{ 
    131147Not member of group: admin 
    132148}}} 
    133 ---- 
    134 '''Step 10''' Add user to admin group 
    135 {{{ 
    136 tg-admin shell 
     149 
     150=== Step 10 - Add the user to admin group === 
     151{{{ 
     152$ tg-admin shell 
    137153 
    138154Python 2.4.1 (#2, Mar 31 2005, 00:05:10)  
     
    148164>>> 
    149165}}} 
    150 ---- 
    151 '''Step 11''' Revisit secured page and login. Should succeed. 
    152  
    153 ---- 
    154 === Other Considerations === 
    155  
    156 '''How do I retrieve the userId in my application code?''' 
    157  
    158 Actually you can access the entire User object by accessing turbogears.identity.current.user. This gives you access to the userId, displayName, emailAddress, and creation date. 
    159  
    160 '''So, if I wanted to access the users’ group info, how would I do that?''' 
    161  
    162 There are two ways you can access the group information. 
    163  
    164 '''1.''' Via the current identity object: 
    165 {{{ 
    166 #!python 
    167 from turbogears import identity 
    168 if 'admin' in identity.current.groups: 
    169     pass 
    170 }}} 
    171 '''2.''' Via the user object on the current identity: 
    172 {{{ 
    173 #!python 
    174 from turbogears import identity 
    175 if 'admin' in [g.groupId for g in identity.current.user.groups]: 
    176     pass 
    177 }}} 
    178  
    179 ''Option number 2 only works if your using a Model that supports groups on the user object. So, with the default model you’ll be set. Other models might not work so well.'' 
    180  
    181 ---- 
    182 === Restricting Access to whole Subdirectory === 
     166 
     167=== Step 11 - Revisit secured page and login === 
     168 
     169Browse to http://localhost:8080/secured again and login, this time you should see the content of secured.kid 
     170 
     171---- 
     172 
     173== Restricting Access to whole Subdirectory == 
    183174 
    184175(from mailing list) 
     
    187178 
    188179{{{ 
     180#!python 
    189181class Toxicologia(controller.Controller, identity.SecureResource): 
    190182     required_permissions= ["write"] 
     
    194186}}} 
    195187 
    196 You can apply whatever decorators you want on the methods of the 
    197 Toxicologia instance. So each method could have additional 
    198 restrictions. And Toxicologia could have SecureObjects as well. 
    199 However, access to exposed methods of Toxicologia and any 
    200 SecureObjects would have to satisfy the authorisation requirements 
    201 for Toxicologia. 
    202  
    203 ---- 
    204 === Specifying an 'or' type for group Access === 
     188You can apply whatever decorators you want on the methods of the Toxicologia instance. So each method could have additional restrictions. And Toxicologia could have SecureObjects as well. However, access to exposed methods of Toxicologia and any SecureObjects would have to satisfy the authorisation requirements for Toxicologia. 
     189 
     190---- 
     191 
     192== Specifying an 'or' type for group Access == 
    205193 
    206194There are two ways to handle this: 
    207195 
    208 '''1''' Derive your Controller from SecureResource (in addition to 
    209 Controller) and check the permissions explicitly. For example: 
    210  
    211 {{{ 
     196'''1''' Derive your Controller from SecureResource (in addition to Controller) and check the permissions explicitly. For example: 
     197{{{ 
     198#!python 
    212199class MyController( controllers.Controller, identity.SecureResource ): 
    213200 
     
    219206}}} 
    220207 
    221 This will work because SecureResource wraps all exposed methods with 
    222 code that checks permissions and traps IdentityExceptions. So if your 
    223 code throws, er, raises an IdentityException, everything will be 
    224 handled correctly. 
    225  
    226 Of course, you can then pull your authorisation logic out into a 
    227 function that you call rather than copying and pasting into each 
    228 function that requires it. 
    229  
    230 '''2''' Write your own decorator function. This is not for the faint at 
    231 heart. But it gives you absolute flexibility. Take a look at the two 
    232 decorators in turbogears/identity/conditions.py. They'll give you a 
    233 head-start on what you'll have to do. 
     208This will work because SecureResource wraps all exposed methods with code that checks permissions and traps IdentityExceptions. So if your code throws, er, raises an IdentityException, everything will be handled correctly. 
     209 
     210Of course, you can then pull your authorisation logic out into a function that you call rather than copying and pasting into each function that requires it. 
     211 
     212'''2''' Write your own decorator function. This is not for the faint at heart. But it gives you absolute flexibility. Take a look at the two decorators in turbogears/identity/conditions.py. They'll give you a head-start on what you'll have to do. 
    234213 
    235214---- 
    236215=== Applying security settings, not from source code, but from configuration data === 
    237216 
    238 You should be able to specify security settings not only from source 
    239 code but via some other means. The goal is to allow an administrator 
    240 to set the security policy, not the programmer. 
     217You should be able to specify security settings not only from source code but via some other means. The goal is to allow an administrator to set the security policy, not the programmer. 
     218 
     219---- 
     220 
     221== FAQ's == 
     222 
     223=== How do I retrieve the userId in my application code? === 
     224 
     225Actually you can access the entire User object by accessing turbogears.identity.current.user. This gives you access to the userId, displayName, emailAddress, and creation date. 
     226 
     227=== So, if I wanted to access the users’ group info, how would I do that? === 
     228 
     229There are two ways you can access the group information. 
     230 
     231'''1.''' Via the current identity object: 
     232{{{ 
     233#!python 
     234from turbogears import identity 
     235if 'admin' in identity.current.groups: 
     236    pass 
     237}}} 
     238'''2.''' Via the user object on the current identity: 
     239{{{ 
     240#!python 
     241from turbogears import identity 
     242if 'admin' in [g.groupId for g in identity.current.user.groups]: 
     243    pass 
     244}}} 
     245 
     246''Option number 2 only works if your using a Model that supports groups on the user object. So, with the default model you’ll be set. Other models might not work so well.'' 
     247----