Pyramid AuthTktAuthenticationPolicy 回调从未调用过

Posted 2023-04-13

【中文标题】Pyramid AuthTktAuthenticationPolicy 回调从未调用过

【英文标题】：Pyramid AuthTktAuthenticationPolicy callback never invoked

【发布时间】：2017-12-05 05:32:15

【问题描述】：

我试图通过使用 AuthTktAuthenticationPolicy 在 Pyramid 中实现简单的身份验证。我关注this - authentication 和this - authorization。

初始化.py

from pyramid.config import Configurator

from pyramid.authentication import AuthTktAuthenticationPolicy
from pyramid.authorization import ACLAuthorizationPolicy
from .security import groupfinder, Root


def main(global_config, **settings):
    """ This function returns a Pyramid WSGI application.
    """
    #config = Configurator(settings=settings)

    # ACL
    config = Configurator(settings=settings, root_factory=Root)
    authn_policy = AuthTktAuthenticationPolicy('sosecret', callback=groupfinder, hashalg='sha512')
    authz_policy = ACLAuthorizationPolicy()
    config.set_authentication_policy(authn_policy)
    config.set_authorization_policy(authz_policy)

    config.include('pyramid_jinja2')
    config.include('.models')
    config.include('.routes')
    config.scan()
    return config.make_wsgi_app()

security.py

GROUPS = 'admin': ['group:admin']
USERS = 'receptionist' : 'receptionist'

def groupfinder(userid, request):
    print("It's here")
    return ['group:admin']

from pyramid.security import Allow, Everyone

class Root(object):
    def __acl__(self):
        return [(Allow, Everyone, 'view'), (Allow, 'group:admin', 'edit')]

def __init__(self, request):
    pass

我的视图 default.py

...

@view_config(route_name='login', renderer='../templates/login.jinja2')
def login(request):
    try:
        if not ('user_name' in request.params and 'password' in request.params):
            return 

        if request.params['user_name'] == '' or request.params['password'] == '':
            raise Exception('Ada inputan yang kosong dari form')

        match_ = request.dbsession.query(TblUser).filter_by(user_name=request.params['user_name'], user_password=request.params['password']).one()
        username = request.params['user_name']

        if match_ is not None:
            headers = remember(request, username)
            request.response.headerlist.extend(headers)
            next_url = request.route_url('search-room')

            return HTTPFound(location=next_url)

    except Exception as e:
        log.exception(str(e))
        return 'code' : 'error', 'message' : str(e) 

...

@view_config(route_name='search-room', renderer='../templates/search-room.jinja2', permission='edit')
def search_room(request):
    try:
        if not ('floor' in request.params):
            return 

        if request.params['floor'] == '':
            raise Exception('Ada inputan yang kosong dari form')

        query = request.dbsession.query(TblReservation)
        result = query.join(TblRoom, aliased=True).filter_by(room_floor=request.params['floor']).all()

        if result is None or len(result) < 1:
            raise Exception("No row found")

        return 'code' : 'ok', 'message' : '', 'content' : result 

    except Exception as e:
        log.exception(str(e))
        return 'code' : 'error', 'message' : str(e), 'content' : ''

repo 中的完整代码https://github.com/muhakbaryasin/pyramid-simple-acl

我至少将用户设置为需要经过身份验证和授权为“管理员”，这样它才能获得“编辑”角色并访问“搜索室”页面。

我现在得到的是登录过程已完成，但它不会授予访问“搜索室”的授权，并且永远不会调用 groupfinder。

我错过了什么？ :(

【参考方案1】：

针对source in the Pyramid Quick Tutorial 运行差异以找出您遗漏的内容。

【讨论】：

好的。我试试看

我已经解决了这个问题。这是因为未保留包含 cookie 的标头。我想念 HTTPFound(location=next_url) -> HTTPFound(location=next_url, headers=headers)

@campnew：我有一个类似的错误，你能检查这个代码提供你的输入 - github.com/PREM1980/authentication/tree/main/spa_authentication 事实上，我已经调用了记住函数。