我一直试图找出如何使用mongoengine进行对象级安全性,并且找不到任何好的解决方案。
我应该使用工厂还是其他东西?某种程度上, getitem -function永远不会被调用,因此我无法在那里做任何事情。 ACL模型似乎也完全被忽略了。是否有可能在模型级别验证用户的权限?
案例:
配置:
config = Configurator(settings=settings,
root_factory=RootFactory,
authentication_policy=AuthTktAuthenticationPolicy,
authorization_policy=ACLAuthorizationPolicy()
)
型号:
class Car(Document):
"""Car model"""
@property
def __acl__(self):
return [
(Allow, self.owner, 'modify'),
(Allow, 'group:admins', 'edit')
]
make = StringField(required=False)
model = StringField()
owner = ReferenceField('User')
工厂:
class RootFactory(object):
"""Root factory"""
def __init__(self, request):
self.__acl__ = [(Allow, Authenticated, 'create'),
(DENY_ALL)
]
class CarFactory(object):
__acl__ = [
(Allow, Authenticated, 'create'),
(Allow, 'self.owner', 'modify'),
(DENY_ALL)
]
def __init__(self, request):
self.request = request
def __getitem__(self, key):
user = USERS[key]
user.__parent__ = self
user.__name__ = key
return user
路线:
config.add_route('saveCar', '/car/save/', factory=CarFactory)
查看:
@view_config(route_name='saveCar',
request_method='POST',
permission='modify')
def saveCar(request):
"""Save car functions"""