Scope authenticated users in accounts

[fishwebby]

(web2py newbie here) - I've got user authentication working ok, but
I'd like to be able to scope the auth_users inside an account. My plan
is to have accounts identified by subdomains, e.g.
account_one.example.com, and then inside that the users can login (a
la Basecamp).

I've got the following working to get the account model based on the
subdomain, redirecting to an "account not found" page:

def requires_account(f):
subdomain = request.env.http_host.split('.')[:-2].pop()
account = db(db.account.subdomain==subdomain).select().first()

if not account:
redirect(URL('default', 'account_not_found'))

return f


@requires_account
@auth.requires_login
def index():
...


However, I'm a bit stumped as to how to restrict the login to only
those users in that account. I've added an account_id field to the
auth_users table, but I'm not sure how to proceed - I think ideally
I'd like to extend / override the requires_login method so it uses the
account but I can't work out how to do it - any help (or suggestions
of a better way to do it!) are greatly appreciated!

Many thanks
Dave

[Anthony]

You might want to consider using this: https://groups.google.com/d/msg/web2py/NrvxeWQJvH0/wbafxppaf1QJ (note, 'request_precinct' has been changed to the more general 'request_tenant', as noted later in that thread). Otherwise, I suppose you could use the Auth groups functionality (http://web2py.com/book/default/chapter/08#Authorization) -- create a group for each subdomain and assign/check permissions based on the current request's subdomain. Note, the full multi-tenancy solution (first link) might be better because it allows you to easily segment every single database table by subdomain so any queries return only results related to the particular subdomain.

 

Also, rather than creating your own requires_account decorator, you could probably just use auth.requires (see http://web2py.com/book/default/chapter/08#Combining-Requirements).

 

Anthony

[pbreit]

I wonder if you could write some sort of custom validator that checks that the subdomain matches auth.user.account_id?

[fishwebby]

Fantastic, the request_tenant method is just what I was looking for!

So this is what I've got working:

def requires_account(f):
"""
Redirect to the account not found page if there is no account
(decorator function)
"""
if not get_account():
redirect(URL('accounts', 'not_found'))

return f

def get_account():
"""
Get the account from the subdomain and store it in the session, if
not already stored
"""
if not session.account:

subdomain = request.env.http_host.split('.')[:-2].pop()

session.account =
db(db.account.subdomain==subdomain).select(db.account.id,
db.account.title).first()

return session.account


defined in db.py (is that the best place to put them?) - then after
I've defined the account table, I've got this:

db._request_tenant = 'account_id'
db._common_fields=[Field('account_id',default=session.account.id,
writable=False, readable=False)]

Which seems to work rather nicely.

Thank you very much for your reply!

On Aug 15, 10:53 pm, Anthony <abasta...@gmail.com> wrote:
> You might want to consider using this:https://groups.google.com/d/msg/web2py/NrvxeWQJvH0/wbafxppaf1QJ(note,
> 'request_precinct' has been changed to the more general 'request_tenant', as
> noted later in that thread). Otherwise, I suppose you could use the Auth
> groups functionality (http://web2py.com/book/default/chapter/08#Authorization) -- create a group
> for each subdomain and assign/check permissions based on the current
> request's subdomain. Note, the full multi-tenancy solution (first
> link) might be better because it allows you to easily segment every single
> database table by subdomain so any queries return only results related to
> the particular subdomain.
>
> Also, rather than creating your own requires_account decorator, you could

> probably just use auth.requires (seehttp://web2py.com/book/default/chapter/08#Combining-Requirements).