Commits

Chris McDonough  committed 242a8c4

make security work

  • Participants
  • Parent commits 3a186ab

Comments (0)

Files changed (8)

File src/authorization/setup.py

 import os
+import sys
 
 from setuptools import setup, find_packages
 
     'SQLAlchemy',
     'transaction',
     'repoze.tm2',
-    'zope.sqlalchemy'
+    'zope.sqlalchemy',
+    'docutils',
 ]
 
 if sys.version_info[:3] < (2,5,0):

File src/authorization/tutorial.db

Binary file removed.

File src/authorization/tutorial/__init__.py

+from repoze.bfg.security import Allow
+from repoze.bfg.security import Everyone
+
+class RootFactory(object):
+    __acl__ = [ (Allow, Everyone, 'view'),
+                (Allow, 'group:editors', 'edit') ]
+    def __init__(self, request):
+        pass
+
+
 def main(global_config, **settings):
     """ This function returns a Pylons WSGI application.
     """
     from repoze.bfg.authentication import AuthTktAuthenticationPolicy
     from repoze.bfg.authorization import ACLAuthorizationPolicy
     from tutorial.security import groupfinder
-    from tutorial.views import MyController
     db_string = settings.get('db_string')
     if db_string is None:
         raise ValueError("No 'db_string' value in application "
     initialize_sql(db_string)
     config = Configurator(
         settings=settings,
-        authentication_policy=AuthTktAuthenticationPolicy('sosecret', callback=groupfinder),
-        authorization_policy=ACLAuthorizationPolicy()
+        authentication_policy=AuthTktAuthenticationPolicy(
+            'sosecret', callback=groupfinder),
+        authorization_policy=ACLAuthorizationPolicy(),
+        root_factory=RootFactory,
     )
     config.begin()
-    config.add_static_view('static', 'tutorial:templates/static')
-    config.add_handler('tutorial.views:MyController', pattern='/login',
-                       route_name='login', action='login', factory=MyController)
-    config.add_handler('tutorial.views:MyController', pattern='/logout',
-                       route_name='logout', action='logout', factory=MyController)
-    config.add_handler('tutorial.views:MyController', pattern='/',
-                       route_name='view_wiki', action='view_wiki', factory=MyController)
-    config.add_handler('tutorial.views:MyController', pattern='/{pagename}',
-                       route_name='view_page', action='view_page', factory=MyController)
-    config.add_handler('tutorial.views:MyController', pattern='/add_page/{pagename}',
-                       route_name='add_page', action='add_page', factory=MyController)
-    config.add_handler('tutorial.views:MyController', pattern='/{pagename}/edit_page',
-                       route_name='edit_page', action='edit_page', factory=MyController)
+    config.add_static_view(
+        'static',
+        'tutorial:templates/static'
+        )
+    config.add_handler(
+        'tutorial.handlers:WikiHandler',
+        pattern='/',
+        route_name='root',
+        )
+    config.add_handler(
+        'tutorial.handlers:WikiHandler',
+        pattern='/wiki/{pagename}/{action}',
+        route_name='wiki_action'
+        )
+    config.scan()
     config.end()
     return config.make_wsgi_app()
 

File src/authorization/tutorial/handlers.py

+import re
+
+from docutils.core import publish_parts
+
+from webob.exc import HTTPFound
+
+from repoze.bfg.security import authenticated_userid
+
+from pylons.views import action
+from pylons.url import route_url
+
+from tutorial.models import DBSession
+from tutorial.models import Page
+
+# regular expression used to find WikiWords
+wikiwords = re.compile(r"\b([A-Z]\w+[A-Z]+\w+)")
+
+class WikiHandler(object):
+    def __init__(self, request):
+        self.request = request
+
+    def __call__(self):
+        return HTTPFound(
+            location=route_url('wiki_action',
+                               self.request,
+                               pagename='FrontPage',
+                               action='view')
+            )
+    
+    @action(renderer='view.mak', permission='view')
+    def view(self):
+        matchdict = self.request.matchdict
+        session = DBSession()
+        page = session.query(Page).filter_by(name=matchdict['pagename']).one()
+        def check(match):
+            word = match.group(1)
+            exists = session.query(Page).filter_by(name=word).all()
+            if exists:
+                view_url = route_url('wiki_action',
+                                     self.request,
+                                     pagename=word,
+                                     action='view')
+                return '<a href="%s">%s</a>' % (view_url, word)
+            else:
+                add_url = route_url('wiki_action',
+                                    self.request,
+                                    pagename=word,
+                                    action='add')
+                return '<a href="%s">%s</a>' % (add_url, word)
+    
+        content = publish_parts(page.data, writer_name='html')['html_body']
+        content = wikiwords.sub(check, content)
+        edit_url = route_url('wiki_action',
+                             self.request,
+                             pagename=matchdict['pagename'],
+                             action='edit')
+        logged_in = authenticated_userid(self.request)
+        return dict(
+            page=page,
+            content=content,
+            edit_url=edit_url,
+            logged_in = logged_in
+        )
+    
+    @action(renderer='edit.mak', permission="edit")
+    def add(self):
+        name = self.request.matchdict['pagename']
+        if 'form.submitted' in self.request.params:
+            session = DBSession()
+            body = self.request.params['body']
+            page = Page(name, body)
+            session.add(page)
+            return HTTPFound(
+                location = route_url(
+                    'wiki_action',
+                    self.request,
+                    pagename=name,
+                    action='view')
+                )
+        save_url = route_url(
+            'wiki_action',
+            self.request,
+            pagename=name,
+            action='add')
+        page = Page('', '')
+        logged_in = authenticated_userid(self.request)
+        return dict(
+            page=page,
+            save_url=save_url,
+            logged_in = logged_in
+        )
+    
+    @action(renderer='edit.mak', permission="edit")    
+    def edit(self):
+        name = self.request.matchdict['pagename']
+        session = DBSession()
+        page = session.query(Page).filter_by(name=name).one()
+        if 'form.submitted' in self.request.params:
+            page.data = self.request.params['body']
+            session.add(page)
+            return HTTPFound(
+                location=route_url(
+                    'wiki_action',
+                    self.request,
+                    pagename=name,
+                    action='view')
+                )
+        logged_in = authenticated_userid(self.request)
+        return dict(
+            page=page,
+            save_url = route_url('wiki_action',
+                                 self.request,
+                                 pagename=name,
+                                 action='edit'),
+            logged_in = logged_in,
+        )
+

File src/authorization/tutorial/security.py

+from webob.exc import HTTPFound
+
+from repoze.bfg.view import bfg_view
+from repoze.bfg.exceptions import Forbidden
+
+from pylons.url import route_url
+
+from repoze.bfg.security import remember
+from repoze.bfg.security import forget
+
 USERS = {'editor':'editor',
           'viewer':'viewer'}
 GROUPS = {'editor':['group:editors']}
     if userid in USERS:
         return GROUPS.get(userid, [])
 
+class LoginView(object):
+    def __init__(self, request):
+        self.request = request
+
+    @bfg_view(renderer='login.mak', context=Forbidden)
+    @bfg_view(name='login', renderer='login.mak')
+    def login(self):
+        login_url = self.request.application_url + '/login'
+        referrer = self.request.url
+        if referrer == login_url:
+            referrer = '/' # never use the login form itself as came_from
+        came_from = self.request.params.get('came_from', referrer)
+        message = ''
+        login = ''
+        password = ''
+        if 'form.submitted' in self.request.params:
+            login = self.request.params['login']
+            password = self.request.params['password']
+            if USERS.get(login) == password:
+                headers = remember(self.request, login)
+                return HTTPFound(location=came_from, headers=headers)
+            message = 'Failed login'
+    
+        return dict(
+            message = message,
+            url = self.request.application_url + '/login',
+            came_from = came_from,
+            login = login,
+            password = password,
+        )
+    
+    @bfg_view(name='logout', permission='view')
+    def logout(self):
+        headers = forget(self.request)
+        return HTTPFound(
+            location=route_url('root', self.request),
+            headers=headers
+            )
+        

File src/authorization/tutorial/templates/mytemplate.mak

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"
-      xmlns:tal="http://xml.zope.org/namespaces/tal">
-<head>
-<meta http-equiv="content-type" content="text/html; charset=utf-8" />
-<title>${project} Application</title>
-<meta name="keywords" content="python web application" />
-<meta name="description" content="Pylons web application" />
-<link href="${request.application_url}/static/default.css" rel="stylesheet" type="text/css" />
-</head>
-<body>
-<!-- start header -->
-<div id="logo">
-  <h2><code>${project}</code>, a <code>Pylons</code> application</h2>
-</div>
-<div id="header">
-  <div id="menu">
-  </div>
-</div>
-<!-- end header -->
-<div id="wrapper">
-  <!-- start page -->
-  <div id="page">
-    <!-- start content -->
-    <div id="content">
-      <div class="post">
-	<h1 class="title">Welcome to <code>${project}</code>, an
-	application generated by the <a
-	href="http://pylonshq.com">Pylons</a> web
-	application framework.</h1>
-      </div>
-    </div>
-    <!-- end content -->
-    <!-- start sidebar -->
-    <div id="sidebar"></div>
-    <!-- end sidebar -->
-    <div style="clear: both;">&nbsp;</div>
-  </div>
-</div>
-<!-- end page -->
-<!-- start footer -->
-<div id="footer">
-  <p id="legal">( c ) 2008. All Rights Reserved. Template design
-  by <a href="http://www.freecsstemplates.org/">Free CSS
-  Templates</a>.</p>
-</div>
-<!-- end footer -->
-</body>
-</html>

File src/authorization/tutorial/templates/view.mak

 <div style="float:right; width: 10em;"> Viewing
 <span>${page.name or 'Page Name Goes Here'}</span> <br/>
 You can return to the <a href="${request.application_url}">FrontPage</a>.
+<br/><br/>
+% if logged_in:
+You are logged in as ${logged_in}.
+<a href="${request.application_url}/logout">Logout</a>
+% endif
 </div>
 
 <div>${content or 'Page text goes here.'}</div>

File src/authorization/tutorial/views.py

-import re
-
-from docutils.core import publish_parts
-
-from webob.exc import HTTPFound
-
-from repoze.bfg.security import remember
-from repoze.bfg.security import forget
-from repoze.bfg.security import Allow
-from repoze.bfg.security import Everyone
-from repoze.bfg.security import authenticated_userid
-from repoze.bfg.url import route_url
-from repoze.bfg.view import bfg_view
-from repoze.bfg.exceptions import Forbidden
-
-from pylons.views import action
-#from pylons import url
-from tutorial.models import DBSession
-from tutorial.models import Page
-from tutorial.security import USERS
-
-# regular expression used to find WikiWords
-wikiwords = re.compile(r"\b([A-Z]\w+[A-Z]+\w+)")
-
-class MyController(object):
-    __acl__ = [ (Allow, Everyone, 'view'),
-                (Allow, 'group:editors', 'edit') ]
-                
-    def __init__(self, request):
-        self.request = request
-        self.__dict__.update(self.request.matchdict)
-
-    @action(renderer='mytemplate.mak')
-    def index(self):
-        return {'root':root, 'project':'tutorial'}
-    
-    @action(renderer='view.mak')
-    def view_wiki(self):
-        return HTTPFound(location=route_url('view_page', self.request, pagename='FrontPage'))
-    
-    @action(renderer='view.mak')
-    def view_page(self):
-        matchdict = self.request.matchdict
-        session = DBSession()
-        page = session.query(Page).filter_by(name=matchdict['pagename']).one()
-        def check(match):
-            word = match.group(1)
-            exists = session.query(Page).filter_by(name=word).all()
-            if exists:
-                view_url = route_url('view_page', self.request, pagename=word)
-                return '<a href="%s">%s</a>' % (view_url, word)
-            else:
-                add_url = route_url('add_page', self.request, pagename=word)
-                return '<a href="%s">%s</a>' % (add_url, word)
-    
-        content = publish_parts(page.data, writer_name='html')['html_body']
-        content = wikiwords.sub(check, content)
-        edit_url = route_url('edit_page', self.request, pagename=matchdict['pagename'])
-        logged_in = authenticated_userid(self.request)
-        return dict(
-            page=page,
-            content=content,
-            edit_url=edit_url,
-            logged_in = logged_in
-        )
-    
-    @action(renderer='edit.mak', permission="edit")
-    def add_page(self):
-        name = self.request.matchdict['pagename']
-        if 'form.submitted' in self.request.params:
-            session = DBSession()
-            body = self.request.params['body']
-            page = Page(name, body)
-            session.add(page)
-            return HTTPFound(location = route_url('view_page', self.request, pagename=name))
-        save_url = route_url('add_page', request, pagename=name)
-        page = Page('', '')
-        logged_in = authenticated_userid(self.request)
-        return dict(
-            page=page,
-            save_url=save_url,
-            logged_in = logged_in
-        )
-    
-    @action(renderer='edit.mak', permission="edit")    
-    def edit_page(self):
-        name = self.request.matchdict['pagename']
-        session = DBSession()
-        page = session.query(Page).filter_by(name=name).one()
-        if 'form.submitted' in self.request.params:
-            page.data = self.request.params['body']
-            session.add(page)
-            return HTTPFound(location=route_url('view_page', self.request, pagename=name))
-        logged_in = authenticated_userid(self.request)
-        return dict(
-            page=page,
-            save_url = route_url('edit_page', self.request, pagename=name),
-            logged_in = logged_in,
-        )
-    
-    @action(renderer='login.mak', context=Forbidden)
-    def login(self):
-        login_url = route_url('login', self.request)
-        referrer = self.request.url
-        if referrer == login_url:
-            referrer = '/' # never use the login form itself as came_from
-        came_from = self.request.params.get('came_from', referrer)
-        message = ''
-        login = ''
-        password = ''
-        if 'form.submitted' in self.request.params:
-            login = self.request.params['login']
-            password = self.request.params['password']
-            if USERS.get(login) == password:
-                headers = remember(self.request, login)
-                return HTTPFound(location=came_from, headers=headers)
-            message = 'Failed login'
-    
-        return dict(
-            message = message,
-            url = self.request.application_url + '/login',
-            came_from = came_from,
-            login = login,
-            password = password,
-        )
-    
-    @action()    
-    def logout(self):
-        headers = forget(self.request)
-        return HTTPFound(location=route_url('view_wiki', self.request), headers=headers)
-        
-