MongoDB and Pylons, authorization system with permissions

Wed, 09 Mar 2011 22:18:45 -0800 

I use MongoDB I want to build a simple user authentication system with
permissions.

I do not use schemas mongokit, only pymongo.

There are 'users', 'groups' and 'roles' collections.
users contain list of groups _id =
[ObjectId(4d738cc9b2996d11ec00003c),
ObjectId(4d738cc2b2996d11ec00003b)]
groups contain list of roles _id =
[ObjectId(4d738cc2b2996d11ec000001),
ObjectId(4d738cc2b2996d11ec000002)]
roles documents have 'name'

So I want to make a validator for controlles and some validation
function for templates like

@check_access('Create documents')
h.has_access(c.current_user, u'Delete documents')

    def __call__(self, environ, start_response):
        """Invoke the Controller"""
        pylons = environ['pylons.pylons']
        self._db = pylons.app_globals.db
        if 'REMOTE_USER' in session:
            c.current_user = self._db.users.find_one({'login':
session['REMOTE_USER']})
        else:
            c.current_user = None
        return WSGIController.__call__(self, environ, start_response)


def has_access(userlogin, inrole):
    groups = self._db.users.find_one({'login': usergroup},{'_id': 0,
'groups': 1})
    for group in groups['groups']:
        roles = self._db.groups.find_one({'_id': ObjectId(group)},
{'_id': 0, 'roles': 1})
        for role in roles['roles']:
            crole = self._db.roles.find_one({'_id': role},{'_id': 0,
'name': 1})
            if crole and inrole == crole['name']:
                return True
    return False

def check_access(inrole):
    def validate(func, self, *args, **kwargs):
        if 'REMOTE_USER' in session:
            current_user = self._db.users.find_one({'login':
session['REMOTE_USER']})
            if has_access(userlogin, inrole):
                return func(self, *args, **kwargs)
            else:
                pass
                #h.flash.set_message(u'You have no permission')
        else:
            return func(self, *args, **kwargs)
    return decorator(validate)

Is that correct, or should I build a different system of
authorization? There are a lot of queries, may be it would be better
to make current_user list of roles every rendering and check at
templates like

if u'Creating documents' in c.curuser_roles:

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/pylons-discuss?hl=en.

Reply via email to