milla.auth

Request authorization

Created:Apr 5, 2011
Author:dustin
Updated:$Date$
Updater:$Author$
exception milla.auth.NotAuthorized[source]

Base class for unauthorized exceptions

This class is both an exception and a controller callable. If the request validator raises an instance of this class, it will be called and the resulting value will become the HTTP response. The default implementation simply returns HTTP status 403 and a simple body containing the exception message.

class milla.auth.RequestValidator[source]

Base class for request validators

A request validator is a class that exposes a validate method, which accepts an instance of webob.Request and an optional requirement. The validate method should return None on successful validation, or raise an instance of NotAuthorized on failure. The base implementation will raise an instance of the exception specified by exc_class, which defaults to :py:class`NotAuthorized`.

To customize the response to unauthorized requests, it is sufficient to subclass NotAuthorized, override its __call__() method, and specify the class in exc_class.

exc_class

Exception class to raise if the request is unauthorized

alias of NotAuthorized

validate(request, requirement=None)[source]

Validates a request

Parameters:
  • request – The request to validate. Should be an instance of webob.Request.
  • requirement – (Optional) A requirement to check. Should be an instance of Permission or PermissionRequirement, or some other class with a check method that accepts a sequence of permissions.

The base implementation will perform authorization in the following way:

  1. Does the request have a user attribute? If not, raise NotAuthorized.
  2. Is the truth value of request.user true? If not, raise NotAuthorized.
  3. Does the request.user object have a permissions attribute? If not, raise NotAuthorized.
  4. Do the user’s permissions meet the requirements? If not, raise NotAuthorized.

If none of the above steps raised an exception, the method will return None, indicating that the validation was successful.

Note

WebOb Request instances do not have a user attribute by default. You will need to supply this yourself, i.e. in a WSGI middleware or in the __before__ method of your controller class.