authorisation failure in Pyramid (Python)

0
votes

So I'm trying to port some old Pylons code to Pyramid, and I'd like to be able to improve on the Auth setup - specifically support better RBAC, and Pyramid has good support for this. However, I'd like to offer unauthorised users better info when they try illegal pages:

"Sorry, in order to view [page] you ([user]) need [group] privileges - please contact [admin]"

However I don't see how that's practical in Pyramid - I can do stuff in the forbidden_view_config page, however I can't easily find all the info needed from the page which was attempted - is it possible to get the exception or similar with the actual reason why permission was not granted?

1
pythonauthenticationauthorizationpyramid
Is your question, "Where do I get the 4 pieces of information that I want to display in the forbidden view?" Assuming that is the case, then you can get that from the request object. See docs.pylonsproject.org/projects/pyramid/en/latest/api/… for a good starting point for security related objects and methods.Steve Piercy
I'm not sure where I'd easily get the 'page' or rather route_name and which permission is needed to access it? One thing I was considering was overloading ACLAuthorizationPolicy, so that the info was pushed onto the session for authenticated users - which would mean I could present it quite easily. If I'm about to generate the forbidden_view_config page, then how would I be able to find out which permission was required for the previous (attempted) page? I have the referrer from request, the user, but the required permission I can't seem to find + I'd prefer the route_name as its behind proxySteffen Schumacher
context is one place to get the object. The request object itself should have all the other bits you need. Unless, of course, you redirect to another page.Steve Piercy
Ok, but whenever a permission is lacking, won’t users automatically be redirected to the forbidden_view_config page, or is that page rendered instead of the forbidden one? I’ll have a look with the tutorial when I can.. - thanks!Steffen Schumacher
No redirect, unless you tell your app to do so with return HTTPFound(location=request.route_url("home")), for example. You should raise HTTPForbidden(). You can customize that however you like. Pyramid docs and the Community Cookbook have examples.Steve Piercy

1 Answers

1
votes

The request object itself should have all the bits you need.

Specifically, security-related pieces lists some of the request attributes that you can retrieve. Also the request.exception attribute will be available when an exception is raised. There are several URL-related pieces available to get the "page", including application_url.