目前,Eve v0.4通过' auth_field'支持用户限制资源访问,但它似乎旨在自动处理单一所有者案例。
如何启用多用户限制访问,如果用户的ID包含在允许的ID数组中,则允许用户查看资源?可能有多个列表用于单独的读写权限。
答案 0 :(得分:3)
我为EVE写了一个小黑客,它正在添加这个功能。也许这有点棘手,但它确实有效。
您需要更新EVE的fdec函数auth.py:
def fdec(f):
@wraps(f)
def decorated(*args, **kwargs):
if args:
# resource or item endpoint
resource_name = args[0]
resource = app.config['DOMAIN'][args[0]]
if endpoint_class == 'resource':
public = resource['public_methods']
roles = resource['allowed_roles']
if request.method in ['GET', 'HEAD', 'OPTIONS']:
roles += resource['allowed_read_roles']
else:
roles += resource['allowed_write_roles']
elif endpoint_class == 'item':
public = resource['public_item_methods']
roles = resource['allowed_item_roles']
if roles and isinstance(roles, str):
items = app.data.driver.db[args[0]]
item = items.find_one(kwargs)
roles = item[roles]
if request.method in ['GET', 'HEAD', 'OPTIONS']:
roles += resource['allowed_item_read_roles']
else:
roles += resource['allowed_item_write_roles']
if callable(resource['authentication']):
auth = resource['authentication']()
else:
auth = resource['authentication']
else:
# home
resource_name = resource = None
public = app.config['PUBLIC_METHODS'] + ['OPTIONS']
roles = app.config['ALLOWED_ROLES']
if request.method in ['GET', 'OPTIONS']:
roles += app.config['ALLOWED_READ_ROLES']
else:
roles += app.config['ALLOWED_WRITE_ROLES']
auth = app.auth
if auth and request.method not in public:
if not auth.authorized(roles, resource_name, request.method):
return auth.authenticate()
return f(*args, **kwargs)
return decorated
return fdec
如你所见,我添加了一个条件:if isinstance(roles,str) 我们的想法是,当您将字符串放入allowed_roles而不是list时,意味着您指向此项目中的字段,该字段包含用户列表。例如,我有下一个方案和组的定义:
definition = {
'url': 'groups',
'item_title': 'group',
# only admins and apps are allowed to consume this endpoint
'cache_control': '',
'cache_expires': 0,
'id_field': 'url',
'schema': _schema,
'allowed_item_roles': 'users',
'additional_lookup': {
'url': 'regex("[\w]+")', # to be unique
'field': 'url',
},
}
_schema = {
'name': required_string, # group name
'url': unique_string, # group url - unique id
'users': { # list of users, who registered for this group
'type': 'list',
'scheme': embedded_object('accounts')
},
'items': { # list of items in the group
'type': 'list',
'scheme': embedded_object('items'),
},
'owner': embedded_object('accounts'),
'secret': {'type': 'string'}
}
因此,您可以看到我有一个用户列表,这是我帐户的嵌入对象。下一步是更新角色身份验证。现在看起来应该是:
def check_auth(self, token, allowed_roles, resource, method):
accounts = app.data.driver.db['accounts']
lookup = {'token': token}
if allowed_roles:
# only retrieve a user if his roles match ``allowed_roles``
lookup['username'] = {'$in': allowed_roles}
account = accounts.find_one(lookup)
if account and 'username' in account:
self.set_request_auth_value(account['username'])
if account:
self.request_auth_value = account['username']
return account is not None
因此它检查用户名是否在允许的角色中。最后一步是更新EVE中的flaskapp.py以支持allowed_roles中的字符串
def validate_roles(self, directive, candidate, resource):
""" Validates that user role directives are syntactically and formally
adeguate.
:param directive: either 'allowed_[read_|write_]roles' or
'allow_item_[read_|write_]roles'.
:param candidate: the candidate setting to be validated.
:param resource: name of the resource to which the candidate settings
refer to.
.. versionadded:: 0.0.4
"""
roles = candidate[directive]
if not (isinstance(roles, list) or isinstance(roles, str)):
raise ConfigException("'%s' must be list"
"[%s]." % (directive, resource))
无论如何,它仍然是一种解决方法,我不确定当每个项目有数千个用户时它会快速可靠地工作,但是对于少量用户来说它是有效的。
希望它会有所帮助
答案 1 :(得分:1)
用户受限资源访问本质上是一种机制,用于透明地存储创建文档的用户的ID以及文档本身。当用户返回端点时,他只能看到/编辑自己的文档。你如何分配多个"所有者"存储时的文件?
你有没有看过Role Based Access Control?尽管在端点(非文档)级别,它仍然可以满足您的要求。