140 lines
4.9 KiB
Python
140 lines
4.9 KiB
Python
# Copyright 2011 Dustin C. Hatch
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
'''Convenient decorators for enforcing authorization on controllers
|
|
|
|
:Created: Mar 3, 2011
|
|
:Author: dustin
|
|
:Updated: $Date$
|
|
:Updater: $Author$
|
|
'''
|
|
|
|
from functools import wraps
|
|
from milla.auth import RequestValidator, NotAuthorized, permissions
|
|
import milla
|
|
import pkg_resources
|
|
|
|
__all__ = ['auth_required', 'require_perms']
|
|
|
|
VALIDATOR_EP_GROUP = 'milla.request_validator'
|
|
|
|
def _find_request(*args, **kwargs):
|
|
try:
|
|
return kwargs['request']
|
|
except KeyError:
|
|
for arg in args:
|
|
if isinstance(arg, milla.Request):
|
|
return arg
|
|
|
|
def _validate_request(func, requirement, *args, **kwargs):
|
|
request = _find_request(*args, **kwargs)
|
|
ep_name = request.config.get('request_validator', 'default')
|
|
|
|
# Override the RequestVariable name with a class from the specified
|
|
# entry point, if one is available. Otherwise, the default is used.
|
|
for ep in pkg_resources.iter_entry_points(VALIDATOR_EP_GROUP, ep_name):
|
|
try:
|
|
RequestValidator = ep.load()
|
|
except:
|
|
continue
|
|
|
|
try:
|
|
validator = RequestValidator()
|
|
validator.validate(request, requirement)
|
|
except NotAuthorized as e:
|
|
return e(request)
|
|
return func(*args, **kwargs)
|
|
|
|
def auth_required(func):
|
|
'''Simple decorator to enforce authentication for a controller
|
|
|
|
Example usage::
|
|
|
|
class SomeController(object):
|
|
|
|
def __before__(request):
|
|
request.user = find_a_user_somehow(request)
|
|
|
|
@milla.auth_required
|
|
def __call__(request):
|
|
return 'Hello, world!'
|
|
|
|
In this example, the ``SomeController`` controller class implements
|
|
an ``__before__`` method that adds the ``user`` attribute to the
|
|
``request`` instance. This could be done by extracting user
|
|
information from the HTTP session, for example. The ``__call__``
|
|
method is decorated with ``auth_required``, which will ensure that
|
|
the user is successfully authenticated. This is handled by a
|
|
*request validator*.
|
|
|
|
If the request is not authorized, the decorated method will never
|
|
be called. Instead, the response is generated by calling the
|
|
:py:exc:`~milla.auth.NotAuthorized` exception raised inside
|
|
the ``auth_required`` decorator.
|
|
'''
|
|
|
|
@wraps(func)
|
|
def wrapper(*args, **kwargs):
|
|
return _validate_request(func, None, *args, **kwargs)
|
|
return wrapper
|
|
|
|
class require_perms(object):
|
|
'''Decorator that requires the user have certain permissions
|
|
|
|
Example usage::
|
|
|
|
class SomeController(object):
|
|
|
|
def __before__(request):
|
|
request.user = find_a_user_somehow(request)
|
|
|
|
@milla.require_perms('some_permission', 'and_this_permission')
|
|
def __call__(request):
|
|
return 'Hello, world!'
|
|
|
|
In this example, the ``SomeController`` controller class implements
|
|
an ``__before__`` method that adds the ``user`` attribute to the
|
|
``request`` instance. This could be done by extracting user
|
|
information from the HTTP session, for example. The ``__call__``
|
|
method is decorated with ``require_perms``, which will ensure that
|
|
the user is successfully authenticated and the the user has the
|
|
specified permissions. This is handled by a *request validator*.
|
|
|
|
There are two ways to specify the required permissions:
|
|
|
|
* By passing the string name of all required permissions as
|
|
positional arguments. A complex permission requirement will be
|
|
constructed that requires *all* of the given permissions to be
|
|
held by the user in order to validate
|
|
* By explicitly passing an instance of
|
|
:py:class:`~milla.auth.permissions.Permission` or
|
|
:py:class:`~milla.auth.permissions.PermissionRequirement`
|
|
'''
|
|
|
|
def __init__(self, *requirements):
|
|
requirement = None
|
|
for req in requirements:
|
|
if isinstance(req, basestring):
|
|
req = permissions.Permission(req)
|
|
if not requirement:
|
|
requirement = req
|
|
else:
|
|
requirement &= req
|
|
self.requirement = requirement
|
|
|
|
def __call__(self, func):
|
|
@wraps(func)
|
|
def wrapper(*args, **kwargs):
|
|
return _validate_request(func, self.requirement, *args, **kwargs)
|
|
return wrapper
|