偶尔禁用 Pyramid 中间件 [英] Occasionally disabling Pyramid middleware
问题描述
注意:如果有帮助,我正在使用 Pyramid 1.3.2.我知道它有点过时了,我不希望立即更新,但如果最新版本为此用例提供更好的支持,我可能可以强制更新.
Note: If it's any help, I'm using Pyramid 1.3.2. I know it's a little out of date, I would prefer not to update right away, but I might be able to force an update if the latest version provides better support for this use case.
我正在开发的基于 Pyramid 的应用程序具有严格的授权策略:所有 调用必须 进行身份验证.因为 1) 在每个请求处理程序上手动添加它很乏味;2) 我们不希望任何人忘记"添加身份验证,我们使用一个简单的 Pyramid 中间件 (tween) 在服务器范围内强制执行此操作,以验证所有传入请求.
The Pyramid-based application I'm working on has a strict authorization policy: all calls must be authenticated. Since 1) it's tedious to add this manually on every request handelr; and 2) we don't want anybody to "forget" adding authentication, we enforce this server-wide using a simple Pyramid middleware (tween) that verifies all incoming requests.
最近,这个限制稍微放宽了:偶尔,一些资源应该支持(安全和幂等)GET而无需身份验证.
Recently, this restriction has been slightly relaxed: occasionally, some resources should support (safe & idempotent) GET without authentication.
这似乎与大多数 Web 框架中身份验证背后的通常设计思想(可选身份验证)直接相反,所以我无法让它按预期工作.
It seems this is directly opposed to the usual design ideas behind authentication in most web frameworks (optional authentication), so I can't get it to work quite as expected.
问题:实现对 & 进行身份验证的授权中间件的正确方法是什么?默认情况下验证授权,但可以在逐个视图的基础上禁用?
QUESTION: What is the correct approach to implementing an authorization middleware that authenticates & verifies authorization by default, but can be disabled on a view-by-view basis?
到目前为止,我已经尝试添加一个简单的装饰器,如下所示:
So far, I've tried adding a simple decorator like so:
def allows_anonymous_access(f):
f.allows_anonymous_access = True; return f
@allows_anonymous_access
def my_pyramid_view(request):
# ...
在我的中间件中,我想这样使用它:
In my middleware, I would like to use it like this:
def authorization_middleware(handler, registry):
def verify_authorization(request):
# Identify the user making the request. Make sure we get the
# user's identify if provided, even when the request handler
# allows anonymous access.
try:
request.principal = extract_user(request)
except InvalidCredentials, error:
if getattr(handler, 'allows_anonymous_access', False):
request.principal = AnonymousUser()
else:
raise HTTPUnauthorized(...)
# Invoke the handler.
return handler(request)
# Middleware that will pre/post-process the request.
return authorization_middleware
然而,当中间件执行时,handler 不是我的观点.它恰好是一个绑定方法 (pyramid.router.Router.handle_request),它不提供我对可调用视图的访问权限,这意味着我无法访问中间件设置的标志.
However, when the middleware executes, handler is not my view. It happens to be a bound method (pyramid.router.Router.handle_request) which does not provide me access to the view callable, meaning I cannot access the flag set by the middleware.
推荐答案
您可能需要 pyramid.config.set_default_permission(permission).来自 文档:
You probably want pyramid.config.set_default_permission(permission). From docs:
添加默认权限使得不需要保护每个视图具有明确权限的配置,除非您的应用程序政策要求对特定视图进行一些例外处理.
Adding a default permission makes it unnecessary to protect each view configuration with an explicit permission, unless your application policy requires some exception for a particular view.
如果默认权限有效,请查看旨在用于的配置创建一个真正匿名访问的视图(甚至异常视图视图)必须使用可导入权限的值作为pyramid.security.NO_PERMISSION_REQUIRED.当这个字符串用作视图配置的权限,默认权限是忽略,并注册视图,使其可供所有人使用呼叫者不管他们的凭据如何.
If a default permission is in effect, view configurations meant to
create a truly anonymously accessible view (even exception view views)
must use the value of the permission importable as
pyramid.security.NO_PERMISSION_REQUIRED. When this string is used as
the permission for a view configuration, the default permission is
ignored, and the view is registered, making it available to all
callers regardless of their credentials.
由 raydeo_ 在 #pyramid freenode IRC 频道上提供的答案.
Answer provided by raydeo_ on #pyramid freenode IRC channel.
这篇关于偶尔禁用 Pyramid 中间件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
