identity and many groups
Lukasz Szybalski
I have around 300 groups that I need to add to identity.
Each of these groups will have its users, and these users will only be
allowed to see that groups data. So based on a user that logs in I
will check for his/her group and get the data from her group.
So currently in controller I have:
@identity.require(identity.in_group("admin"))
I see I could add:
@identity.require(identity.in_any_group("admin","group2","group3"....))
How can I say require to be in any out of 300 the groups?
@identity.require(identity.in_any_group("*"))
or
@identity.require(identity.in_any_group()) (this doesn't work)
or something similar?
http://lucasmanual.com/tgdocs/turbogears.identity.conditions-module.html
How else could I do it?
Thanks,
Lucas
--
Where was my car manufactured?
http://cars.lucasmanual.com/vin
TurboGears Manual-Howto
http://lucasmanual.com/pdf/TurboGears-Manual-Howto.pdf
Diez B. Roggisch
> Hello,
> I have around 300 groups that I need to add to identity.
> Each of these groups will have its users, and these users will only be
> allowed to see that groups data. So based on a user that logs in I
> will check for his/her group and get the data from her group.
>
>
> So currently in controller I have:
> @identity.require(identity.in_group("admin"))
>
> I see I could add:
> @identity.require(identity.in_any_group("admin","group2","group3"....))
>
> How can I say require to be in any out of 300 the groups?
> @identity.require(identity.in_any_group("*"))
> or
> @identity.require(identity.in_any_group()) (this doesn't work)
> or something similar?
>
> http://lucasmanual.com/tgdocs/turbogears.identity.conditions-module.html
>
> How else could I do it?
Requiring that the user is not anonymous?
Diez
Cecil Westerhof
That will only work when every user is in a group.
I think that there is a way to get the group(s) of an user. When the
only requirement is that the person is part of a group, you could
check that it is not empty.
--
Cecil Westerhof
Marco Mariani
>> I see I could add:
>> @identity.require(identity.in_any_group("admin","group2","group3"....))
>>
I think you should grant a permission to all of those groups, and check
the permission directly. That's what permissions are for.
Or else, in case things get more hairy, entirely avoid having 300 named
groups, and handle the security stuff inside the controller (not in the
decorator).
--
This e-mail (and any attachment(s)) is strictly confidential and for use only by intended recipient(s). Any use, distribution, reproduction or disclosure by any other person is strictly prohibited. The content of this e-mail does not constitute a commitment by the Company except where provided for in a written agreement between this e-mail addressee and the Company.
If you are not an intended recipient(s), please notify the sender promptly and destroy this message and its attachments without reading or saving it in any manner.
Any non authorized use of the content of this message constitutes a violation of the obligation to abstain from learning of the correspondence among other subjects, except for more serious offence, and exposes the person responsible to the relevant consequences.
Marco Mariani
> That will only work when every user is in a group.
> I think that there is a way to get the group(s) of an user. When the
> only requirement is that the person is part of a group, you could
> check that it is not empty.
>
Maybe you mean identity.conditions.in_any_group()
Jorge Godoy
> That will only work when every user is in a group.
> I think that there is a way to get the group(s) of an user. When the
> only requirement is that the person is part of a group, you could
> check that it is not empty.
Either that or instead of checking for groups check for a specific permission
(kind of "ibelongtoagroup" permission) and use that on all groups. You can
even hide this permission from the interface and add it automatically to all
groups.
All places where I check for identity stuff I check for permissions, this way
I can have fine grained control and I can group the same permission in
different groups assigned to different users.
All what I do, from an identity point of view, is requiring certain
permissions, adding those with a nice description to the permissions table
and then I let my client decide who will do what.
For his clients we made two extra interfaces: one where he says which groups
will be available for them and another that filters user-group associations
to show just that groups and to let them associate permissions to their own
users (i.e. I have an internal admin that does that and each external company
has their own admin that can decide what their users can do).
It isn't as complex as it seems and can be implemented quickly.
But I suggest only checking for permissions, never for users or groups. (I
also use not anonymous checks).
Regards,
--
Jorge Godoy <jgo...@gmail.com>
Lukasz Szybalski
still tells me that I need to login, which means I'm not
authenticated. I assume that in_any_group() requires list of groups?
How can I provide it to in_any_group(????)
2. Requiring that the user is not anonymous?
I guess this might work because users might register them selfs, and
not be placed to any group. I would have to check if the users is in
any group still, so might as well still
On Tue, Jun 10, 2008 at 5:36 AM, Jorge Godoy <jgo...@gmail.com> wrote:
> Em Tuesday 10 June 2008 04:29:47 Cecil Westerhof escreveu:
>> That will only work when every user is in a group.
>> I think that there is a way to get the group(s) of an user. When the
>> only requirement is that the person is part of a group, you could
>> check that it is not empty.
What would be the code for "check if not empty"?
@identity.require(group not empty????)
>
> Either that or instead of checking for groups check for a specific permission
> (kind of "ibelongtoagroup" permission) and use that on all groups. You can
> even hide this permission from the interface and add it automatically to all
> groups.
Well everybody right now have the same permission, aka they can access
system when they are logged in, by can access only data for that
group. (select *..... where group = 123) So permissions won't help me
figure out what group they are in?
Unless I am missing something...let me know.
>
> All places where I check for identity stuff I check for permissions, this way
> I can have fine grained control and I can group the same permission in
> different groups assigned to different users.
>
> All what I do, from an identity point of view, is requiring certain
> permissions, adding those with a nice description to the permissions table
> and then I let my client decide who will do what.
As I mentioned before, right now all do all on their group data. I
could add permission "ingroup:True" but what happens when they forget
to add them to a group. Then I need to check if user is in any group
again, so I'm back to square one.
>
> For his clients we made two extra interfaces: one where he says which groups
> will be available for them and another that filters user-group associations
> to show just that groups and to let them associate permissions to their own
> users (i.e. I have an internal admin that does that and each external company
> has their own admin that can decide what their users can do).
>
> It isn't as complex as it seems and can be implemented quickly.
>
> But I suggest only checking for permissions, never for users or groups.
Thanks,
Lucas
Cecil Westerhof
>>> I think that there is a way to get the group(s) of an user. When the
>>> only requirement is that the person is part of a group, you could
>>> check that it is not empty.
>
> What would be the code for "check if not empty"?
> @identity.require(group not empty????)
Looking at http://docs.turbogears.org/1.0/UsingIdentity.
In the controller, you have access to turbogears.identity.current,
which contains the following properties and methods.
You then use the groups property of this. (You could also use
group_ids, but I would find groups more naturally.)
--
Cecil Westerhof
Lukasz Szybalski
Thanks,
So now how do I disable access to any page for a user that is logged
in and does not belong to a group?
Lucas
Cecil Westerhof
I do not use groups(yet). So it is just a pointer which maybe needs
some refinement.
You start with @identity.require(identity.not_anonymous()). Because
when someone is not logged in, it has no groups.
Then in the code you put:
if not turbogears.identity.current.groups:
the action you want to do when someone does not belong to a group
Be carefull. When at a certain point not all groups should have access
to the function, you need to change the code.
--
Cecil Westerhof
Lukasz Szybalski
<cldwes...@gmail.com> wrote:
>
> 2008/6/10 Lukasz Szybalski <szyb...@gmail.com>:
>>>>>> I think that there is a way to get the group(s) of an user. When the
>>>>>> only requirement is that the person is part of a group, you could
>>>>>> check that it is not empty.
>>>>
>>>> What would be the code for "check if not empty"?
>>>> @identity.require(group not empty????)
>>>
>>> Looking at http://docs.turbogears.org/1.0/UsingIdentity.
>>> In the controller, you have access to turbogears.identity.current,
>>> which contains the following properties and methods.
>>>
>>> You then use the groups property of this. (You could also use
>>> group_ids, but I would find groups more naturally.)
>>
>> Thanks,
>> So now how do I disable access to any page for a user that is logged
>> in and does not belong to a group?
>
> I do not use groups(yet). So it is just a pointer which maybe needs
> some refinement.
>
> You start with @identity.require(identity.not_anonymous()). Because
> when someone is not logged in, it has no groups.
>
> Then in the code you put:
> if not turbogears.identity.current.groups:
> the action you want to do when someone does not belong to a group
I created global function:
def check_group(groups=None):
if not groups:
raise redirect("/pending")
Is there a way I can make this check global? Right now I have to add
this to each function:
def index(self):
check_group(identity.current.groups)
def func2(self):
check_group(identity.current.groups)
.....
Lucas
Marco Mariani
Why don't you write your own identity predicate?
Something like (after importing Predicate and identityPredicateHelper
from turbogears.identity)
class whatever_group(Predicate, IdentityPredicateHelper):
error_message = "Not member of any group."
def eval_with_object(self, identity, errors=None):
if identity.groups:
return True
self.append_error_message(errors)
return False
Then, you can use @require(whatever_group())
Untested but simple enough.
Lukasz Szybalski
I'll give that a try as soon as I find some time.
getting the group list was kind of tricky. ......where group=
list(identity.current.groups)[0]
Thanks,
This will work for now.
Lucas
Lukasz Szybalski
> Why don't you write your own identity predicate?
>
>
> Something like (after importing Predicate and identityPredicateHelper
> from turbogears.identity)
>
> class whatever_group(Predicate, IdentityPredicateHelper):
> error_message = "Not member of any group."
>
> def eval_with_object(self, identity, errors=None):
> if identity.groups:
> return True
> self.append_error_message(errors)
> return False
>
>
> Then, you can use @require(whatever_group())
So I'm trying to write this predicate :
class is_part_of_group(identity.Predicate, identity.IdentityPredicateHelper):
error_message= "Not a member of any group"
def eval_with_object(self, identity, errors=None):
identity.not_anonymous()
if identity.current.groups:
return True
self.append_error_message(errors)
return False
but I get this error:
File "/usr/local/pythonenv/BASELINE/lib/python2.4/site-packages/TurboGears-1.0.4.4-py2.4.egg/turbogears/identity/conditions.py",
line 240, in require
if predicate is None or \
File "/home/xxx/turbogears/xxx/Xxxx/controllers.py", line 104, in
eval_with_object
identity.not_anonymous()
File "/usr/local/pythonenv/BASELINE/lib/python2.4/site-packages/TurboGears-1.0.4.4-py2.4.egg/turbogears/identity/__init__.py",
line 75, in __getattr__
return getattr(identity, name)
AttributeError: 'SqlAlchemyIdentity' object has no attribute 'not_anonymous'
Any ideas why?
Thanks,
Lucas
Lukasz Szybalski
I guess I had to specify tg.identity.not_anonymous(), not sure why it
got confused with Sqlalchemy.....
Lucas
Christopher Arndt
> So I'm trying to write this predicate :
>
> class is_part_of_group(identity.Predicate, identity.IdentityPredicateHelper):
> error_message= "Not a member of any group"
> def eval_with_object(self, identity, errors=None):
> identity.not_anonymous()
> if identity.current.groups:
> return True
> self.append_error_message(errors)
> return False
>
>
> but I get this error:
>
> Any ideas why?
Because the name 'identity' is bound to a local variable in this method,
which refers to the object with current identity (nit the identity
module). Just use 'if not identity.anonymous':
See:
http://trac.turbogears.org/browser/branches/1.1/turbogears/identity/conditions.py#L67
and
http://trac.turbogears.org/browser/branches/1.1/turbogears/identity/saprovider.py#L56
Chris
Kevin Horn
group_list = <a list of all your groups>
@identity.in_any_group():
Kevin Horn
As a quick and dirty solution you could probably do something like (untested):
group_list = <a list of all your groups>
... stuff goes here ...
though creating your own identity predicate is probably the best way.
Kevin Horn
Lukasz Szybalski
>> error_message= "Not a member of any group"
>> def eval_with_object(self, identity, errors=None):
>> identity.not_anonymous()
>> if identity.current.groups:
>> return True
>> self.append_error_message(errors)
>> return False
>>
>>
>> but I get this error:
>> AttributeError: 'SqlAlchemyIdentity' object has no attribute 'not_anonymous'
>>
>> Any ideas why?
>
>
> Because the name 'identity' is bound to a local variable in this method,
> which refers to the object with current identity (nit the identity
> module). Just use 'if not identity.anonymous':
>
Now I'm trying to allow people on a local subnet to access the
website, without requiring them to login/register.
step 1 match ip to allowed subnet.
Does the function _match_ip can match:
identity.from_host("192.168.1.*") with any ip 192.168.1.1-255?
I'm looking at the sourcecode here but it doesn't seem like unless ?
http://lucasmanual.com/tgdocs/turbogears.identity.conditions-pysrc.html#_match_ip
What would I have to set to get the user look logged in as "Employee"
if identity.from_host("192.168.1.*"):
tg.identity.current.groups = 'employeegroup"
tg.identity.current.user ='employee'... ? What else should I set?
Thanks,
Lucas
Lukasz Szybalski
>
> Does the function _match_ip can match:
> identity.from_host("192.168.1.*") with any ip 192.168.1.1-255?
Actually I see _match_ip will match 192.168.1.0/24
How do I get a return value from "identity.from_host('192.168.1.0/24')"
tg.identity.from_host("192.168.1.0/24").eval_with_object()
TypeError: eval_with_object() takes at least 2 arguments (1 given)
Ideas?
Thanks,
Lucas
Lukasz Szybalski
So I was trying to just evaluate that myslef but for some reason
_remoteHost doesn't return proper value when running in testing?
from turbogears.identity.conditions import _match_ip
from turbogears.identity.conditions import _remoteHost
ip = _remoteHost()
cidr='192.168.1.12'
print cidr,ip,_match_ip(cidr, ip)
returns
192.168.1.12 ::ffff:192.168.1.12 False
Any ideas why _remoteHost() function returns :::ffff:192.168.1.12
instead of 192.168.1.12??
Lucas
Christopher Arndt
> ip = _remoteHost()
> cidr='192.168.1.12'
> print cidr,ip,_match_ip(cidr, ip)
>
> returns
> 192.168.1.12 ::ffff:192.168.1.12 False
>
> Any ideas why _remoteHost() function returns :::ffff:192.168.1.12
> instead of 192.168.1.12??
Because you have a IPV6-enabled system, like e.g. Ubuntu.
For a longer explanation of the (rather complicated) issue and how this
is handled in TG 1.1, please see this ticket:
http://trac.turbogears.org/ticket/1713
Chris
Lukasz Szybalski
Thanks again.
Will the patch of _match_ip be applied to the next release of the
1.0.x version of tg?
Lucas