Cliquet provides a mechanism to handle authorization on the stored objects.
Authorization isn’t complicated, but requires the introduction of a few terms so that explanations are easier to follow:
- The data that is stored into Cliquet. objects usually match the resources you defined; For one resource there are two objects: resource’s collection and resource’s records.
- An entity that can be authenticated. principals can be individual people, computers, services, or any group of such things.
- An action that can be authorized or denied. read, write, create are permissions.
- Access Control Entity (ACE):
- An association of a principal, an object and a permission. For instance, (Alexis, article, write).
- Access Control List (ACL):
- A list of Access Control Entities (ACE).
By default, the resources defined by Cliquet are public, and records are isolated by user. But it is also possible to define protected resources, which will required the user to have access to the requested resource.
from cliquet import authorization from cliquet import resource @resource.register(factory=authorization.RouteFactory) class Toadstool(resource.ProtectedResource): mapping = MushroomSchema()
In this example, a route factory is registered. Route factories are explained in more details below.
A protected resource, in addition to the
data property of request
/ responses, takes a permissions property which contains the list of
principals that are allowed to access or modify the current object.
During the creation of the object, the permissions property is stored in the permission backend, and upon access, it checks the current principal has access the the object, with the correct permission.
|GET / HEAD||
Route factories are best described in the pyramid documentation