Formerly JulioFlores.com - random rambllings about web2py, python, Zope and a bit of C#
Home | web2py | ¿Quién Soy? | Contact Me | Language English |   
Last 10
RSS Feed
Older Posts
External Links

Add a Comment

Please keep this blog clean, avoid inflamatory, vulgar or otherwise improper comments. Thanks!

Verify your humanity [23699] Please type in the number shown
Name or Email (OPTIONAL - Names or emails will not be used for any other purpose than contacting the sender)
Message

(Some safe-HTML code is allowed only)

Post Original:

Authentication in web2py
web2py is one of the nicest python frameworks I've played with in years (this blog itself was coded 100% in it.. and in about 10 days). It is what I call a great prototyping framework, you do need to know at least the basics of the python programming language to see its true potential, nevertheless, if you are looking to get into web application development, I'd suggest you consider this platform as one of your chosen ones.

Having said that, and just like any other other frameworks out there, it is not without some gotchas and caveats IMHO, take a look at the authentication/authorization framework, there is none. Well, not 100% accurate. web2py supports CAS and a rather simple to use layer (Called T2) to authenticate and control permission levels up to the SQL table record level (i.e. a user can "own" a record in a table and only him/her can change it).

I am all up for this approach: Provide the framework, and "pluggable" modules that you can attach into your project and use, there has been some talks in the web2py community about integrating "T2" into the main web2py core, which I personally do not agree on.

So, I needed a specific way of controlling access to this blog, meaning that I should be the only one allowed to create/edit/delete posts, and my readers, should be able to just post comments to it, nothing really fancy, but functional.

I decided to allow *any* visitor who wished to post a comment to any of my posts to do so without having to apply for an account, yes, I know what you're thinking (spam-glalore), but that is why I implemented my "poor man's captcha" (go ahed, add a comment :) - Anyway, I *still* needed to implement some sort of authentication mechanism..

So I did, on every application in web2py you can create a "global" module (A class module, in this case), located (conveniently) in the modules folder of the app, and just instantiate it when the application runs and reads the model, then from that moment, you may use your class at will in your project.

In my case, I created zauth.py. here are its contents:

class AUTH_USER(object): """ Role-Based authentication module """ def __init__(self, request, response, session, cache, T, db): self.request = request self.response = response self.session = session self.cache = cache self.T = T self.db = db self._anonymous_user = 'Anonymous User' def authenticate(self, auth_email): """ sets authentication for the user """ self.session.auth_email = auth_email def logout(self): """ Clear the session """ self.session.auth_email = None def has_role(self, role): """ Returns True if user belongs to role, or false if user is not authenticated or does not belong to the role """ hasrole = False roles = [] if self.is_auth(): auth_email = self.session.auth_email user_roles = self.db((self.db.auth_users.auth_email == auth_email) &\ (self.db.auth_users.id == self.db.auth_user_role.auth_user_id) &\ (self.db.auth_user_role.auth_role_id == \ self.db.auth_roles.id)).select(self.db.auth_roles.auth_role_name) if user_roles: roles = [each_role.auth_role_name for each_role in user_roles\ if each_role.auth_role_name == role] if roles: hasrole = True return hasrole def get_roles(self): """ Returns a list of roles the user belongs to """ roles = [] auth_email = self.get_user_name() user_roles = self.db((self.db.auth_users.auth_email == auth_email) &\ (self.db.auth_users.id == self.db.auth_user_role.auth_user_id) &\ (self.db.auth_user_role.auth_role_id == \ self.db.auth_roles.id)).select(self.db.auth_roles.auth_role_name) if user_roles: roles = [each_role.auth_role_name for each_role in user_roles] return roles def get_user_name(self): """ returns the username """ _auth_name = self.session.auth_email if _auth_name is None: _auth_name = self._anonymous_user return _auth_name def is_auth(self): """ True if the user has been authenticated in the system, false otherwise """ return self.get_user_name() != self._anonymous_user

Now, whenever the user accesses a controller (a URL, such as /zblog/default/index) you can check if AUTH_USER.is_auth() or AUTH_USER.has_role('Administrator') or any ROLE that you decide to add to your application, the class above works fine as is, however, the "new" version of this blog adds encryption to the session to add a slightly harder-to-steal-my-session approach (as suggested by Massimo Di Piero's web2py book.

All that is left to do now is add our custom "login" and "logout" methods and corresponding views (which I did, but since they are not "public", well there is not place IN the UI to click to get to them). I'd be happy to provide you with the full source code for this app. if you wish.

That is it for now, it is always nice to come back from working all day in VS to discover the real fun of programming, python is the best., web2py follows.

 
Proudly Powered by Python
TechFuel.net | Web Standards xhtml 1.1 and css 2.1 | Rel 14