SessionAuthenticationPolicy callback calls

[tonthon]

Hi,

I'm using the SessionAuthenticationPolicy with a callback used to retrieve groups.

I'm wondering :

When is that callback called (it appears to be called a large number of times inside the same request) ?

Could it be reifyed without any security risk ?

Thanks in advance

Regards,

Gaston Tjebbes

http://majerti.fr

[Michael Merickel]

The policy is invoked anytime request.authenticated_id is requested which includes request.effective_principals which would occur for any call to request.has_permission. A common approach is to create request.user which is reified from request.unauthenticated_userid and then you configure request.authenticated_userid to use the id from request.user. Similarly you configure request.effective_principals to use request.user to generate the principals (from within your policy callback).

FWIW I highly recommend using a subclass approach instead of using the callback as I think it's vastly more clear (shown below):

class MyAuthenticationPolicy(SessionAuthenticationPolicy):

    def authenticated_userid(self, request):

        user = request.user

        if user is not None:

            return user.id

    def effective_principals(self, request):

        user = request.user

        principals = [Everyone]

        if user is not None:

            principals += [

                Authenticated,

                'u:{}'.format(user.id),

                ... # any other principals

            ]

def get_user(request):

    userid = request.unauthenticated_userid

    # validate userid with the database and load the user object

    user = request.dbsession.query(User).get(userid)

    return user

    

config.add_request_method(get_user, 'user', reify=True)

Extending the policies is documented here: https://docs.pylonsproject.org/projects/pyramid/en/1.9-branch/narr/security.html#extending-default-authentication-policies

This will not prevent effective_principals from doing lots of work... you could setup a cache on the request for that as well if you wanted, but usually the main work is done loading the user object which we have optimized away.

It is up to you to deal with the implications of caching the user and avoiding recomputations... if you change the user's logged-in status etc they will still show up as logged in from the perspective of the request. It will only affect later requests. This is fine for most people but you need to be aware of it.

- Michael

--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/b55f0dee-dc5b-f97f-3e11-ae340f973d68%40gmail.com.
For more options, visit https://groups.google.com/d/optout.