Context navigation

source: main/waeup.sirp/trunk/src/waeup/sirp/authentication.txt @ 10009

Last change on this file since 10009 was 7636, checked in by Henrik Bettermann, 13 years ago
Fix role assignment when creating an account.
File size: 6.4 KB

Rev	Line
[7321]	1	SIRP authentication
	2	*******************
[4085]	3
	4	We need to protect most pieces of our portals from unauthenticated
	5	access.
	6
	7	Therefore users have to login to access main functionality and they
	8	are able to log out afterwards.
	9
	10	Before we can check access we have to create an app:
	11
[6180]	12	>>> from zope.component.hooks import setSite # only needed in tests
[4921]	13	>>> from waeup.sirp.app import University
[4085]	14	>>> root = getRootFolder()
	15	>>> u = University()
	16	>>> root['app'] = u
[6180]	17	>>> setSite(root['app']) # only needed in tests
[4085]	18
	19	To make sure, we can 'watch' pages, we first have to initialize our
	20	test browser:
	21
	22	>>> from zope.testbrowser.testing import Browser
	23	>>> browser = Browser()
	24	>>> browser.handleErrors = False
	25
[4092]	26	Creating users (principals)
	27	===========================
[4085]	28
[4092]	29	Before we can login, we have to provide a user (``principal`` in Zope
[4093]	30	terms) with a password (and optional a title or description):
[4092]	31
[4744]	32	>>> root['app']['users'].addUser('bob', 'bobsecret',
[4093]	33	... title='Bob', description='A sample user')
[4092]	34
	35	We can also add complete `Account` objects. An `Account` stores the
	36	user credentials and some metadata persistently:
	37
[4921]	38	>>> from waeup.sirp.authentication import Account
[7636]	39	>>> alice = Account('alice', 'alicesecret',roles=['waeup.ManageDataCenter'])
[4744]	40	>>> root['app']['users'].addAccount(alice)
[4092]	41
[7173]	42	See ``userscontainer.txt`` for details about the UsersContainer we use here.
[4092]	43
[6180]	44	Users and local roles
	45	=====================
[4093]	46
[6180]	47	Accounts also hold infos about local roles assigned to a user. In the
[7173]	48	beginning, users have the local owner role of their own account object:
[6180]	49
	50	>>> alice.getLocalRoles()
[7163]	51	{'waeup.local.Owner': [<waeup.sirp.authentication.Account object at 0x...>]}
[6180]	52
[7636]	53	User automatically get the global AcademicsOfficer role:
[7173]	54
[7177]	55	>>> alice.getSiteRolesForPrincipal()
[7636]	56	['waeup.ManageDataCenter', 'waeup.AcademicsOfficer']
[7173]	57
[7163]	58	We can tell an account, that Alice got some role for another object:
[6180]	59
	60	>>> chalet = object()
	61	>>> root['app']['chalet'] = chalet
	62	>>> alice.notifyLocalRoleChanged(chalet, 'BigBoss', granted=True)
	63
	64	Now Alice is the Big Boss:
	65
	66	>>> alice.getLocalRoles()
	67	{'BigBoss': [<object object at 0x...>]}
	68
	69	When we do not want Alice to be the Big Boss we can tell that too:
	70
	71	>>> alice.notifyLocalRoleChanged(chalet, 'BigBoss', granted=False)
	72	>>> alice.getLocalRoles()
[7163]	73	{'waeup.local.Owner': [<waeup.sirp.authentication.Account object at 0x...>]}
[6180]	74
	75	We can also use events to trigger such actions. This is recommended
	76	because we do not neccessarily know where Alice lives:
	77
[7169]	78	>>> from waeup.sirp.authentication import LocalRoleSetEvent
[6180]	79	>>> from zope.event import notify
	80	>>> notify(LocalRoleSetEvent(chalet, 'BigBoss', 'alice',
	81	... granted=True))
	82	>>> alice.getLocalRoles()
	83	{'BigBoss': [<object object at 0x...>]}
	84
	85	When objects are deleted, local roles are also deleted
	86	semi-magically. This happens through event subscribers listening to
	87	IObjectRemovedEvents. The latters are naturally only fired when ZODB
	88	stored objects are removed. Furthermore this subscriber reads the
	89	internal local roles table.
	90
	91	We create a faculty and grant Bob a local role:
	92
	93	>>> from zope.securitypolicy.interfaces import IPrincipalRoleManager
	94	>>> from waeup.sirp.university.faculty import Faculty
	95	>>> faculty = Faculty()
	96	>>> root['app']['bobs_fac'] = faculty
	97	>>> role_manager = IPrincipalRoleManager(faculty)
	98	>>> role_manager.assignRoleToPrincipal(
	99	... 'waeup.PortalManager', 'bob')
	100
	101	We notify the machinery about that fact:
	102
	103	>>> notify(LocalRoleSetEvent(faculty, 'waeup.PortalManager', 'bob',
	104	... granted=True))
	105	>>> bob = root['app']['users']['bob']
	106	>>> bob.getLocalRoles()
	107	{'waeup.PortalManager': [<waeup.sirp...Faculty object at 0x...>]}
	108
	109	When we delete the faculty from ZODB, also Bobs roles are modified:
	110
	111	>>> del root['app']['bobs_fac']
	112	>>> bob.getLocalRoles()
[7163]	113	{'waeup.local.Owner': [<waeup.sirp.authentication.Account object at 0x...>]}
[6180]	114
[6202]	115	If one notifies the machinery of a local role removal for an object
	116	that cannot have local roles, this will cause no trouble:
	117
	118	>>> mycontext = None #object()
	119	>>> notify(LocalRoleSetEvent(
	120	... mycontext, 'waeup.PortalManager', 'bob', granted=False
	121	... )) is None
	122	True
	123
[6203]	124	When an account get deleted, also the local roles of the owner get
	125	removed. Let's setup a local role for `alice`:
	126
	127	>>> faculty = Faculty()
	128	>>> root['app']['alice_fac'] = faculty
	129	>>> role_manager = IPrincipalRoleManager(faculty)
	130	>>> role_manager.assignRoleToPrincipal(
	131	... 'waeup.PortalManager', 'alice')
	132	>>> notify(LocalRoleSetEvent(faculty, 'waeup.PortalManager', 'alice',
	133	... granted=True))
	134
	135	The local role is set now:
	136
	137	>>> from zope.securitypolicy.interfaces import IPrincipalRoleMap
	138	>>> IPrincipalRoleMap(faculty).getPrincipalsAndRoles()
	139	[('waeup.PortalManager', 'alice', PermissionSetting: Allow)]
	140
	141	But when we delete Alices account from ZODB:
	142
	143	>>> del root['app']['users']['alice']
	144	>>> IPrincipalRoleMap(faculty).getPrincipalsAndRoles()
	145	[]
	146
	147	the local role has gone.
	148
	149
[4092]	150	Logging in via side bar
	151	=======================
	152
[4085]	153	We can access the front page without restrictions:
	154
	155	>>> browser.open('http://localhost/app')
	156	>>> print browser.headers['Status']
	157	200 Ok
	158
[5404]	159	We have to go to one of the login pages first:
[4086]	160
[6609]	161	>>> browser.open('http://localhost/app')
[6685]	162	>>> browser.getLink('Login').click()
[5404]	163	>>> print browser.headers['Status']
	164	200 Ok
	165
	166	There is a login form on tis page:
	167
[4086]	168	>>> 'form.login' in browser.contents
	169	True
	170
[4093]	171	>>> 'form.logout' in browser.contents
	172	False
	173
[4086]	174	We use this form:
	175
[4093]	176	>>> browser.getControl(name='form.login').value = 'bob'
[6609]	177	>>> browser.getControl(name='form.password').value = 'invalidpw'
	178	>>> browser.getControl('Login').click()
	179	>>> 'You entered wrong credentials' in browser.contents
	180	True
	181
	182	>>> browser.getControl(name='form.login').value = 'bob'
[4093]	183	>>> browser.getControl(name='form.password').value = 'bobsecret'
[4086]	184	>>> browser.getControl('Login').click()
[4092]	185
[4093]	186	Now the login form is gone. Instead we have the opportunity to logout:
	187
	188	>>> 'form.login' in browser.contents
	189	False
	190
[4617]	191	>>> logout = browser.getLink('Logout')
	192	>>> logout
	193	<Link text='Logout' url='http://localhost/app/@@logout'>
[4093]	194
[4613]	195	The user title is also displayed in the sidebar:
[4093]	196
[4613]	197	>>> 'Bob' in browser.contents
[4094]	198	True
[4093]	199
[4094]	200	We can also log out afterwards:
	201
[4617]	202	>>> logout.click()
[5404]	203	>>> print browser.contents
	204	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"...
[6691]	205	...Login
[5404]	206	...
[4094]	207

Note: See TracBrowser for help on using the repository browser.

Download in other formats: