Allow current user to have access to specific routes

[Mauricio Cifuentes]

 I am trying to avoid logged user have access to URL routes that are not assigned to them. The logic is simple,  as soon a user had logged in, for example 'user1', he will be redirected to a specific URL, https://myurl.com/user1. So far, that works superb, but I am struggling to understand how to implement a rule to avoid that 'user1' can access and see the content in the route of user2, https://myurl.com/user2.

Below you can find the code I am currently using:

import tornado

from tornado.web import RequestHandler

import sqlite3

# could define get_user_async instead

def get_user(request_handler):

return request_handler.get_cookie("user")

# could also define get_login_url function (but must give up LoginHandler)

login_url = "/login"

# Initialize SQLITE3 parameters

db_file = "user_login.db"

connection = None

cursor = None

# optional login page for login_url

class LoginHandler(RequestHandler):

def get(self):

try:

errormessage = self.get_argument("error")

except Exception:

errormessage = ""

self.render("login.html", errormessage=errormessage)

def check_permission(self, username, password):

connection = sqlite3.connect(db_file)

cursor = connection.cursor()

cursor.execute(

"SELECT * FROM users WHERE username=? AND password=?", (username, password)

)

data = cursor.fetchone()

if username == data[1] and password == data[2]:

return True

return False

def post(self):

username = self.get_argument("username", "")

password = self.get_argument("password", "")

auth = self.check_permission(username, password)

if auth:

self.set_current_user(username)

self.redirect(self.get_argument("next", f"/{username}"))

else:

error_msg = "?error=" + tornado.escape.url_escape(

"Login failed, please try again or contact your system administrator."

)

self.redirect(login_url + error_msg)

def set_current_user(self, user):

if user:

self.set_cookie("user", tornado.escape.json_encode(user))

else:

self.clear_cookie("user")

class UrlHandler(RequestHandler):

def is_this_your_route(self, username):

substring = f"{username}"

url_string = f"{self.request.uri}"

if substring in url_string:

self.redirect(self.get_argument("next", f"/{username}"))

else:

error_msg = "?error=" + tornado.escape.url_escape(

"You are not authorised to access this page."

)

self.redirect(login_url + error_msg)

# optional logout_url, available as curdoc().session_context.logout_url

logout_url = "/logout"

# optional logout handler for logout_url

class LogoutHandler(RequestHandler):

def get(self):

self.clear_cookie("user")

self.redirect(self.get_argument("next", "/"))