tipfy.ext.acl¶
This extension provides a lightweight access control implementation to check for user permissions to application resources.
See the extension wiki page.
- class tipfy.ext.acl.Acl(area, user, roles_map=None, roles_lock=None)¶
Loads access rules and roles for a given user in a given area and provides a centralized interface to check permissions. Each Acl object checks the permissions for a single user. For example:
from tipfy.ext.auth.acl import Acl # Build an Acl object for user 'John' in the 'code-reviews' area. acl = Acl('code-reviews', 'John') # Check if 'John' is 'admin' in the 'code-reviews' area. is_admin = acl.is_one('admin') # Check if 'John' can approve new reviews. can_edit = acl.has_access('EditReview', 'approve')
- roles_map¶
Dictionary of available role names mapping to list of rules.
- roles_lock¶
Lock for role changes. This is needed because if role definitions change we must invalidate existing cache that applied the previous definitions.
- __init__(area, user, roles_map=None, roles_lock=None)¶
Loads access privileges and roles for a given user in a given area.
Parameters: - area – An area identifier, as a string.
- user – A user identifier, as a string.
- roles_map – A dictionary of roles mapping to a list of rule tuples.
- roles_lock – Roles lock string to validate cache. If not set, uses the application version id.
- reset()¶
Resets the currently loaded access rules and user roles.
- is_one(role)¶
Check to see if a user is in a role group.
Parameters: - role – A role name, as a string.
Returns: True if the user is in this role group, False otherwise.
- is_any(roles)¶
Check to see if a user is in any of the listed role groups.
Parameters: - roles – An iterable of role names.
Returns: True if the user is in any of the role groups, False otherwise.
- is_all(roles)¶
Check to see if a user is in all of the listed role groups.
Parameters: - roles – An iterable of role names.
Returns: True if the user is in all of the role groups, False otherwise.
- has_any_access()¶
Checks if the user has any access or roles.
Returns: True if the user has any access rule or role set, False otherwise.
- has_access(topic, name)¶
Checks if the user has access to a topic/name combination.
Parameters: - topic – A rule topic, as a string.
- roles – A rule name, as a string.
Returns: True if the user has access to this rule, False otherwise.
- class tipfy.ext.acl.AclRules(parent=None, key_name=None, _app=None, _from_entity=False, **kwds)¶
Stores roles and rules for a user in a given area.
- classmethod get_key_name(area, user)¶
Returns this entity’s key name, also used as memcache key.
Parameters: - area – Area string identifier.
- user – User string identifier.
Returns: The key name.
- classmethod get_by_area_and_user(area, user)¶
Returns an AclRules entity for a given user in a given area.
Parameters: - area – Area string identifier.
- user – User string identifier.
Returns: An AclRules entity.
- classmethod insert_or_update(area, user, roles=None, rules=None)¶
Inserts or updates ACL rules and roles for a given user. This will reset roles and rules if the user exists and the values are not passed.
Parameters: - area – Area string identifier.
- user – User string identifier.
- roles – List of the roles for the user.
- rules – List of the rules for the user.
Returns: An AclRules entity.
- classmethod get_roles_and_rules(area, user, roles_map, roles_lock)¶
Returns a tuple (roles, rules) for a given user in a given area.
Parameters: - area – Area string identifier.
- user – User string identifier.
- roles_map – Dictionary of available role names mapping to list of rules.
- roles_lock – Lock for the roles map: a unique identifier to track changes.
Returns: A tuple of (roles, rules) for the given user in the given area.
- classmethod set_cache(cache_key, spec)¶
Sets a memcache value.
Parameters: - cache_key – The Cache key.
- spec – Value to be saved.
- classmethod delete_cache(cache_key)¶
Deletes a memcache value.
Parameters: - cache_key – The Cache key.
- put()¶
Saves the entity and clears the cache.
- delete()¶
Deletes the entity and clears the cache.
- is_rule_set(topic, name, flag)¶
Checks if a given rule is set.
Parameters: - topic – A rule topic, as a string.
- roles – A rule name, as a string.
- flag – A rule flag, a boolean.
Returns: True if the rule already exists, False otherwise.
- class tipfy.ext.acl.AclMixin¶
A mixin that adds an acl property to a tipfy.RequestHandler.
The handler must have the properties area and current_user set for it to work.
- acl¶
Loads and returns the access permission for the currently logged in user. This requires the handler to have the area and current_user attributes. Casted to a string they must return the object identifiers.
