[pylons-discuss] Pyramid Authentication/Authorization Questions

[Jonathan Vanasco]

I have 2 large Pyramid applications that use an in-house 
authentication/authorization and request pre-processing system.  I'm in the 
middle of porting a legacy mod_perl app to Pyramid, and weighing the 
options of: (i) converting everything to more native Pyramid code, or (ii) 
abstracting the current system into something more extensible.  

One of two existing apps were originally built on Pylons, the other dates 
back to either before Pyramid's current auth existed, or at least was as 
robust as it is now.

Both apps use the Pylons style "handler" approach to writing view 
callables.  A base handler class exists with some core pre-processing logic:
* initialize some request vars
* handle any cookie processing (autologin cookie, preview access, etc)
* handle API vs Web request differences; setup context
* require HTTPS or specific TLS versions

The base handlers are then subclassed into Authorization policies, topline 
options like : LoggedIn/ LoggedOut/ LoggedAny (e.g. 
pyramid.authorization.Everyone).  The "LoggedIn" are further subclassed 
into discrete permissions, and eventually we have a  `/views` directory 
with subclasses, and their methods are hooked into Pyramid via 
`@view_config` decorators.

This has worked well for 10+ years and the applications have scaled very 
well performance-wise, but the maintenance on them leaves a bit to be 
desired as we need to upgrade/patch each application separately for most 
auth related issues and improvements.  

I'm wondering if there are any components in Pyramid2 that may be used to 
develop a simpler-to-manage replacement for existing apps and give a good 
blueprint for the future.

I think a bunch of the pre-processing could be handled on Tweens (much of 
this is invoking or manipulating request properties configured via 
`add_request_method`).  

The big disconnect I keep having with Pyramid's Auth(s) system(s) are:

* requiring an unauthenticated user.  
* applying different styles of required authorizations

Our authz tend to be more complex than the standard Pyramid examples and 
any open source Pyramid app I've seen.  I think the easiest way to describe 
it would be like Facebook's group policies:

* user type - normal, group administrator, group owner, app employee
* group administrator permissions (computed or database stored based on 
user+group combination)
* user or group qualities (some things require a specific TOS version 
optin, others require a photo to have been uploaded)

Beyond that, we are also able to use the subclasses to set the failure 
policies - e.g. where the redirects are routed to - as these are logically 
grouped by the handlers. 

The app I am currently porting does not have all these constraints, and is 
much simpler, but this seems like the perfect time to rethink and 
potentially redeploy some legacy code.

Has anyone worked on something similar and can share tips, or seen any 
potentially similar open source projects we can look to for inspiration?














-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/a04332da-c249-4426-8d3a-1b9126dd64cen%40googlegroups.com.

Re: [pylons-discuss] Re: SQLAlchemy 2.0 support

[Jonathan Vanasco]

That should be fine.  If you see any warnings, that's unfortunately more 
than most developers see!


On Monday, November 28, 2022 at 4:14:16 PM UTC-5 zsol...@gmail.com wrote:

> I just use "PYTHONWARNINGS=default", afaik that's all I need to do right? 
> It shows me all the Pyramid and waitress warnings.
>
>
>
> On 28. Nov 2022 at 19:53:27, Jonathan Vanasco  wrote:
>
>> On Sunday, November 27, 2022 at 1:23:21 PM UTC-5 zsol...@gmail.com wrote:
>>
>>> Great to know! About the warnings, I'm on 2.0 and it works, so either 
>>> some of those RemovedIn20Warning are not removed or none of them are left.
>>>
>>
>> The warnings are still there, you most likely have fully compatible code. 
>> Congrats!
>>
>> One small thing to look out for: SqlAlchemy does some extra stuff now to 
>> make sure warnings are visible.  I don't think zope.sqlalchemy or many 
>> other projects do this.  TLDR: Python started to hide "warnings" around 
>> 2010, and you need to opt-in to seeing them. This caused many issues with 
>> SqlAlchemy, because the "postgres" driver name had been deprecated for 10+ 
>> years but people were still using it because they missed the "warnings".  
>>
>> I mean I rewrote my queries to 2.0 style, but I've read that 1.x style 
>>> queries will continue to work, they are just removed from the documentation 
>>> now.
>>>
>>
>> Yes.  AFAIK, there is no planned deprecation for it.  Mike re-wrote the 
>> tutorial for 2.0 and we had a few people help out in older docs to remove 
>> all the 1.x query instructions.  IIRC, they should still be around in the 
>> FAQ and some various docs for legacy troubleshooting, but there is a 
>> decision for all new development to happen in the 2.0 API style and to help 
>> people migrate to the new syntax.
>>
>> -- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "pylons-discuss" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/pylons-discuss/sDMJlpQQedM/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> pylons-discus...@googlegroups.com.
>>
> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/pylons-discuss/0a5f033b-4bc5-45c7-88c1-f6c8c56a600cn%40googlegroups.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/297d2da8-f46d-4ced-b304-35d5c26beee0n%40googlegroups.com.