如何限制基于URL的单页ID权限? [英] How do I restrict permissions based on the single page ID in the URL?
问题描述
我想实现我的网站金字塔的安全功能,但我有一些麻烦搞清楚如何使用它。
I'm trying to implement Pyramid's Security features in my website but I'm having some trouble figuring out how to use it.
我一直在读了<一个href=\"http://docs.pylonsproject.org/projects/pyramid/en/1.3-branch/tutorials/wiki2/authorization.html\">this教程和这个例子,以及金字塔文档,我想不通如何实现对单页ID的授权策略。
I've been reading over this tutorial and this example, as well as the Pyramid docs, and I can't figure out how to implement an authorization policy for single page IDs.
例如,我有以下URL方案:
For example, I have the following URL scheme:
/pages
/pages/12
/页显然列出了可用的页面和 /页/:ID 在这里你可以读/评论该页面。
/pages obviously lists the available pages and /pages/:id is where you can read/comment on the page.
文档/例子我读过表明,你可以通过提供 groupfinder 回调与组的列表,实现了组级ACS的。如编辑,管理等
The documentation/examples I've read have shown that you can implement group level ACS's by providing a groupfinder callback with a list of groups. Such as editor, admin, etc.
我怎么不能用一个组的权限,而是权利的基础上页ID?
How can I not use a group for permissions and instead rights based on the page id?
在我上面的URL方案,当用户浏览到 /页他们必须登录当他们浏览到 /页/:ID ,他们必须已获得访问,查看特定的ID。或者,他们必须是页面的所有者。
In my URL scheme above, when the user browses to /pages they must be logged in. When they browse to /pages/:id, they must have been given access to view that particular id. Or, they must be the owner of that page.
同意见。在 /页/:ID 页,它们可能已被获准进入浏览网页,但它没有发表评论。
Same as comments. On the /page/:id page, they may have been given access to view the page but not comment on it.
推荐答案
这里的基本原则是,金字塔的安全检查机器在当前背景下的ACL。在这种情况下,你的页面将是合乎逻辑的情况下使用。第一步是设置一个上下文工厂的页面。假设你正在使用的SQLAlchemy和URL调度,这是简单的事情。注册您的路线是这样的:
The basic principle here is that Pyramid's security machinery checks the ACL on the current context. In this case your page would be the logical context to use. The first step is to setup a context factory for a page. Assuming you are using SQLAlchemy and URL dispatch this is simple to do. Register your route like this:
config.add_route('page', '/pages/{id:\d+}', factory=page_factory)
有是在使金字塔检查页ID必须是数字,所以你不必检查自己的路由路径的小动作。注意参照* page_factory *方法。让我们定义现在:
There is a little trick in the path for the route that makes pyramid check the page id must be a number so you do not have to check that yourself. Note the reference to a *page_factory* method. Lets define that now:
def page_factory(request):
return DBSession.query(Page).get(int(request.matchdict['id']))
这需要从路由的页ID,并使用该查找的页面在你的数据库。请注意,我们不检查ID可以转换为这里的整数。我们可以接受脱身,因为路线已经检查直接
This takes the page id from the route and uses that to lookup the page in your database. Notice that we do not check if the id can be converted to an integer here: we can get away with that since the route already checks that directly.
下一步是设置页面上的ACL。最简单的方法是将 ACL 属性添加到您Page类:
The next step is to setup the ACL on the page. The simplest way is to add a acl property to you Page class:
from pyramid import security
class Page(BaseObject):
@property
def __acl__(self):
return [(security.Allow, self.userid, 'view')]
此ACL告诉仅与存储在page.userid的ID的用户被允许观看该网页的金字塔。重要的是要在这里实现的是,ACL是每个页面不同:它是为单独根据数据库中的信息的每一页生成的;在这种情况下使用self.userid
This ACL tells pyramid that only the user with the id stored in page.userid is allowed to view that page. What is important to realise here is that the ACL is different for every page: it is generated for every page separately based on the information in your database; in this case using self.userid.
您现在可以使用的视图的您查看权限:
You can now use the view permission on your view:
@view_config(route_name='page', context=Page, permission='view')
def page_view(context, request):
return 'I can see!'
这个例子有一个页面一个很小的ACL,但你可以扩展以满足您的需求。
This example has a very minimal ACL for a page, but you can extend that to fit your needs.
另请注意view_config上下文= page参数:这告诉金字塔,这种观点只应使用的上下文是一个页面。如果上下文工厂(page_factory在这个例子中)没有发现一个匹配的页面它将返回无而非页面实例的,所以这一观点不会被金字塔使用。因此金字塔会自动产生一个未找到的错误。
Also note the context=Page parameter for view_config: this tells pyramid that this view should only be used of the context is a Page. If the context factory (page_factory in this example) did not find a matching page it will return None instead of a Page instance, so this view will not be used by pyramid. As a result pyramid will automatically produce a not-found error.
这篇关于如何限制基于URL的单页ID权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
