how does pyramid know what "create" , "view", "edit" etc is ?
84 views
Skip to first unread message
pzzcc
May 9, 2021, 1:00:47 PM5/9/21
to pylons-discuss
Hi,
I am trying to wrap my head around some pyramid concepts and I am trying to figure out how does a view config know what a permission like ( view , edit , create ) is ?
does it rely on the pyramid_tm r or the routes or what ?
I know how to use them but I need to wrap my head againts some concepts.
thanks.
Thierry Florac
May 9, 2021, 2:17:13 PM5/9/21
to pylons-...@googlegroups.com
Hi,
Are you asking about the way to protect a view with a permission, or about the way to grant this permission to a request?
Best regards,
Thierry
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/2b676239-b805-40d6-9ae2-1e4c60a9a7dcn%40googlegroups.com.
Theron Luhn
May 10, 2021, 2:03:38 AM5/10/21
to 'Jonathan Vanasco' via pylons-discuss
If a view has a permission set, Pyramid calls the permits() method of your security policy. https://docs.pylonsproject.org/projects/pyramid/en/latest/api/interfaces.html#pyramid.interfaces.ISecurityPolicy (Authorization in Pyramid 1.x) If permits returns true, Pyramid continues the view stack. If false, an HTTPForbidden error is raised.
— Theron
So the permission can be any string you want it to be, as long as permits() can understand it and give a yes or no. Pyramid itself doesn’t have any awareness of what a permission means, it just passes it on to permits().
I assume you’ve already read the security docs, but if not that’s the place to start: https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/security.html
— Theron
Laurent Daverio
May 10, 2021, 5:30:03 AM5/10/21
to pylons-...@googlegroups.com
Hello,
you could have a look at the "Authorization" page of the SQLAlchemy +
URL dispatch wiki tutorial:
https://pyramid.readthedocs.io/en/latest/tutorials/wiki2/authorization.html
Basically : you define your permission as string via an ACL mechanism.
Your permissions may be global (e.g. all members of the "managers"
group get the "manage" permission), or defined via a route factory.
Route factories allow for policies such as: every authenticated user
can "view" a page, its author can "edit" it. They also allow you to
simplify the code of your views.
Hope this helps,
Laurent.
> To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAPX_VWCYnWP_Rrbgk1ZBP1JBUN8KNztgj5%3DJ_Q_8%2B_uvAXAv_A%40mail.gmail.com.
you could have a look at the "Authorization" page of the SQLAlchemy +
URL dispatch wiki tutorial:
https://pyramid.readthedocs.io/en/latest/tutorials/wiki2/authorization.html
Basically : you define your permission as string via an ACL mechanism.
Your permissions may be global (e.g. all members of the "managers"
group get the "manage" permission), or defined via a route factory.
Route factories allow for policies such as: every authenticated user
can "view" a page, its author can "edit" it. They also allow you to
simplify the code of your views.
Hope this helps,
Laurent.
pzzcc
May 10, 2021, 3:32:45 PM5/10/21
to pylons-discuss
thank you for the input everyone.
please correct me if I am wrong , does pyramid know what a ( view ) action is ?
does it know that an Edit action ( is a form that is being POSTed or Restful call to update ?
same goes for create , does it have a way to figure out that create is ( PUT )?
in other words , if I go to a view and change the view config to have a permssion of ( update ) instead of ( edit ) ,
and then go to principals and update them accordingly , Pyramid it self wont care, would it ?
can a view have more than one permission like ( update , create , view ) ?
I am trying to figure out how it works so I can write a better code because I have gone through the wiki tutorial , it is great but it leaves you with a lot of question to be able to understand how things are put together .
Steve Piercy
May 10, 2021, 3:58:57 PM5/10/21
to pylons-...@googlegroups.com
I think that what you seek more understanding on is this thing called "predicates". A predicate is a test which returns True or False, and which narrows the set of circumstances in which views or routes may be called.
For example, to limit matching of a view callable to a `route_name` of `home` and to the `POST` HTTP `request_method`, you would set the predicates in a view decorator as follows.
@view_config(
route_name='home',
request_method='POST'
)
def home(request):
return Response('Welcome!')
More information on view predicates.
https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/viewconfig.html#view-configuration-parameters
--steve
On 5/10/21 12:32 PM, pzzcc wrote:
> thank you for the input everyone.
>
> please correct me if I am wrong , does pyramid know what a ( *view* ) action is ?
> *
> *
> *and then go to principals and update them accordingly , Pyramid it self wont care, would it ? *
> *
> *
> *can a view have more than one permission like ( update , create , view ) ? *
> *
> *
> /I am trying to figure out how it works so I can write a better code because I have gone through the wiki tutorial , it is *great* but it leaves you with a lot of question to be able to understand how things are put together ./
> *
> *
> To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/97b621fe-4b8b-4a44-884a-079813495ff4n%40googlegroups.com <https://groups.google.com/d/msgid/pylons-discuss/97b621fe-4b8b-4a44-884a-079813495ff4n%40googlegroups.com?utm_medium=email&utm_source=footer>.
For example, to limit matching of a view callable to a `route_name` of `home` and to the `POST` HTTP `request_method`, you would set the predicates in a view decorator as follows.
@view_config(
route_name='home',
request_method='POST'
)
def home(request):
return Response('Welcome!')
More information on view predicates.
https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/viewconfig.html#view-configuration-parameters
--steve
On 5/10/21 12:32 PM, pzzcc wrote:
> thank you for the input everyone.
>
>
> does it know that an Edit action ( is a form that is being POSTed or Restful call to update ?
>
> same goes for create , does it have a way to figure out that create is ( PUT )?
>
>
> *in other words , if I go to a view and change the view config to have a permssion of ( update ) instead of ( edit ) ,*
> does it know that an Edit action ( is a form that is being POSTed or Restful call to update ?
>
> same goes for create , does it have a way to figure out that create is ( PUT )?
>
>
> *
> *
> *and then go to principals and update them accordingly , Pyramid it self wont care, would it ? *
> *
> *
> *can a view have more than one permission like ( update , create , view ) ? *
> *
> *
> /I am trying to figure out how it works so I can write a better code because I have gone through the wiki tutorial , it is *great* but it leaves you with a lot of question to be able to understand how things are put together ./
> *
> *
>
> On Monday, May 10, 2021 at 12:30:03 PM UTC+3 Eldav wrote:
>
> Hello,
>
> you could have a look at the "Authorization" page of the SQLAlchemy +
> URL dispatch wiki tutorial:
>
> https://pyramid.readthedocs.io/en/latest/tutorials/wiki2/authorization.html <https://pyramid.readthedocs.io/en/latest/tutorials/wiki2/authorization.html>
> On Monday, May 10, 2021 at 12:30:03 PM UTC+3 Eldav wrote:
>
> Hello,
>
> you could have a look at the "Authorization" page of the SQLAlchemy +
> URL dispatch wiki tutorial:
>
>
> Basically : you define your permission as string via an ACL mechanism.
> Your permissions may be global (e.g. all members of the "managers"
> group get the "manage" permission), or defined via a route factory.
> Route factories allow for policies such as: every authenticated user
> can "view" a page, its author can "edit" it. They also allow you to
> simplify the code of your views.
>
> Hope this helps,
>
> Laurent.
>
> Le dim. 9 mai 2021 à 20:17, Thierry Florac <tfl...@gmail.com> a écrit :
> >
> > Hi,
> > Are you asking about the way to protect a view with a permission, or about the way to grant this permission to a request?
> > Best regards,
> > Thierry
> > --
> > https://www.ulthar.net <https://www.ulthar.net> -- http://pyams.readthedocs.io <http://pyams.readthedocs.io>
> Basically : you define your permission as string via an ACL mechanism.
> Your permissions may be global (e.g. all members of the "managers"
> group get the "manage" permission), or defined via a route factory.
> Route factories allow for policies such as: every authenticated user
> can "view" a page, its author can "edit" it. They also allow you to
> simplify the code of your views.
>
> Hope this helps,
>
> Laurent.
>
> Le dim. 9 mai 2021 à 20:17, Thierry Florac <tfl...@gmail.com> a écrit :
> >
> > Hi,
> > Are you asking about the way to protect a view with a permission, or about the way to grant this permission to a request?
> > Best regards,
> > Thierry
> > --
> >
> >
> > Le dim. 9 mai 2021 à 19:00, pzzcc <grc...@gmail.com> a écrit :
> >>
> >> Hi,
> >>
> >> I am trying to wrap my head around some pyramid concepts and I am trying to figure out how does a view config know what a permission like ( view , edit , create ) is ?
> >>
> >> does it rely on the pyramid_tm r or the routes or what ?
> >>
> >> I know how to use them but I need to wrap my head againts some concepts.
> >>
> >> thanks.
> >>
> >> --
> >> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
> >> To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/2b676239-b805-40d6-9ae2-1e4c60a9a7dcn%40googlegroups.com <https://groups.google.com/d/msgid/pylons-discuss/2b676239-b805-40d6-9ae2-1e4c60a9a7dcn%40googlegroups.com>.
> >
> > Le dim. 9 mai 2021 à 19:00, pzzcc <grc...@gmail.com> a écrit :
> >>
> >> Hi,
> >>
> >> I am trying to wrap my head around some pyramid concepts and I am trying to figure out how does a view config know what a permission like ( view , edit , create ) is ?
> >>
> >> does it rely on the pyramid_tm r or the routes or what ?
> >>
> >> I know how to use them but I need to wrap my head againts some concepts.
> >>
> >> thanks.
> >>
> >> --
> >> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAPX_VWCYnWP_Rrbgk1ZBP1JBUN8KNztgj5%3DJ_Q_8%2B_uvAXAv_A%40mail.gmail.com <https://groups.google.com/d/msgid/pylons-discuss/CAPX_VWCYnWP_Rrbgk1ZBP1JBUN8KNztgj5%3DJ_Q_8%2B_uvAXAv_A%40mail.gmail.com>.
> > --
> > You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
>
> --
> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com <mailto:pylons-discus...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/97b621fe-4b8b-4a44-884a-079813495ff4n%40googlegroups.com <https://groups.google.com/d/msgid/pylons-discuss/97b621fe-4b8b-4a44-884a-079813495ff4n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Michael Merickel
May 10, 2021, 4:03:50 PM5/10/21
to pylons-...@googlegroups.com
The permission strings are arbitrary. For examples that are using ACLs (like the wiki tutorials) the only requirement is that the strings should match up to ACL entries that you are generating on your context objects. Pyramid does not care about the values of the strings and you could use "update" or "edit" or "foo". If a principal in the request and the permission on the view do not match an ACL entry then an HTTPForbidden exception is raised.
To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/97b621fe-4b8b-4a44-884a-079813495ff4n%40googlegroups.com.
pzzcc
May 10, 2021, 4:27:09 PM5/10/21
to pylons-discuss
excellent !!
I am very happy with pyramid and some things don't make sense at the beginning but the end result is a much cleaner / simpler / modular code.
thank you so much everyone !!
Jonathan Vanasco
May 12, 2021, 5:58:03 PM5/12/21
to pylons-discuss
Extending and hoping to clarify Steve's example above, Pyramid users typically leverage the "predicates" to handle this mapping. by using the `request_method` predicate to map "GET" to "view", "POST" to "create", etc.
Reply all
Reply to author
Forward
0 new messages