Repoze Blog

2009-01-19 00:00:00-05:00

repoze.what 1.0 Final Released!

The repoze.what authorization framework has its first stable release!

repoze.what, which is the default authorization framework in TurboGears 2, was initially a TurboGears-specific repoze.who plugin (tg.ext.repoze.who) to support authorization based on the groups the authenticated user belongs to and the permissions granted to such groups, written by Chris McDonough, Florent Aide and Christopher Perkins.

The plugin evolved as an framework for arbitrary WSGI applications which allows developers to store the groups and permissions of the application in other source types (not only databases), just to name a few of the features implemented as a TurboGears-independent project.

The code sample below illustrates how this fully documented and tested framework (yes, its code coverage is at 100%) can be used:

# Sample use in TurboGears 2; pay attention to the line with the "@require"

class RootController(BaseController):

    # ...


    @require(predicates.has_permission('manage', msg=_('Only for managers')))

    def manage_permission_only(self):

        return dict(page='managers stuff')

In the example above, only people with the "manage" permission will be granted access to the "manage_permission_only" action. Also, if access is denied (i.e., user doesn't have the "manage" permission), she will be redirected to the login form and the message "Only for managers" will be displayed; a behavior that is fully customizable.

This groups/permissions-based authorization pattern is just the default pattern supported in repoze.what, and you can extend it to support your own pattern by creating so-called "predicates".

Planning for the upcoming major release of the package has already started, so please don't hesitate to report the features you want to see in this release!

Special thanks go to Chris McDonough for his support throughout the development of repoze.what.

-- Gustavo Narea.

posted at: 00:00 | permalink