在金字塔的动态基于用户的授权 [英] Dynamic user based authorization in Pyramid

问题描述

我在下面的安全准则以及维基教程<的A HREF =htt​​p://docs.pylonsproject.org/projects/pyramid/1.0/tutorials/wiki2/authorization.html>添加授权

I'm following security guidelines found on Pyramid docs along with wiki tutorial Adding Authorization

现在，我需要根据加限制的取消单个用户而不是组。

Now I need to add restrictions based un single user rather than groups.

让说，例如，如果任何博客编辑器可以有权查看所有评论只有文章作者可以编辑职位本身

Let's say for example that, if any blog editor can have permission to review all comments, only post author can edit the post itself.

对于第一个任务，我将在我的根ACL是这样的：

For the first task I will have in my Root ACL like this:

__acl__ = [ (Allow, Everyone, 'view'),
            (Allow, Authenticated, 'view_profile'),
            (Allow, 'groups:editor', 'edit_comment')
]

但whay关于 edit_post ？

我读过这个答案但由于矫枉过正我看来，我的需要我并不需要建立一个资源树。

I've read this answer but seems overkill to me for my needs since I don't need to build a resource tree.

推荐答案

您可能使这个太复杂了。首先，只显示一个链接 edit_post 视图如果游客是这篇文章的作者。这将通过该视图看不见的人谁不应该看到它处理问题的99％。对于其他的1％ - 聪明的用户手动编辑URL直接访问编辑视图 - 添加这样的：

You might be making this too complicated. First, only show a link to the edit_post view if the visitor is the post's author. That will handle 99% of the problem by making that view invisible to people who shouldn't see it. For the other 1% - clever users hand-editing the URL to directly access the editing view - add something like this:

def edit_post(request):
    ...
    if authenticated_userid(request) != author:
        raise pyramid.httpexceptions.HTTPForbidden("You are not this post's author.")

这篇关于在金字塔的动态基于用户的授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！