Python Eve的多用户限制访问

时间:2014-07-15 14:21:40

标签: eve

目前,Eve v0.4通过' auth_field'支持用户限制资源访问,但它似乎旨在自动处理单一所有者案例。

如何启用多用户限制访问,如果用户的ID包含在允许的ID数组中,则允许用户查看资源?可能有多个列表用于单独的读写权限。

2 个答案:

答案 0 :(得分:3)

我为EVE写了一个小黑客,它正在添加这个功能。也许这有点棘手,但它确实有效。

您需要更新EVE的fdec函数auth.py:

def fdec(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        if args:
            # resource or item endpoint
            resource_name = args[0]
            resource = app.config['DOMAIN'][args[0]]
            if endpoint_class == 'resource':
                public = resource['public_methods']
                roles = resource['allowed_roles']
                if request.method in ['GET', 'HEAD', 'OPTIONS']:
                    roles += resource['allowed_read_roles']
                else:
                    roles += resource['allowed_write_roles']
            elif endpoint_class == 'item':
                public = resource['public_item_methods']
                roles = resource['allowed_item_roles']
                if roles and isinstance(roles, str):
                    items = app.data.driver.db[args[0]]
                    item = items.find_one(kwargs)
                    roles = item[roles]
                if request.method in ['GET', 'HEAD', 'OPTIONS']:
                    roles += resource['allowed_item_read_roles']
                else:
                    roles += resource['allowed_item_write_roles']
            if callable(resource['authentication']):
                auth = resource['authentication']()
            else:
                auth = resource['authentication']
        else:
            # home
            resource_name = resource = None
            public = app.config['PUBLIC_METHODS'] + ['OPTIONS']
            roles = app.config['ALLOWED_ROLES']
            if request.method in ['GET', 'OPTIONS']:
                roles += app.config['ALLOWED_READ_ROLES']
            else:
                roles += app.config['ALLOWED_WRITE_ROLES']
            auth = app.auth
        if auth and request.method not in public:
            if not auth.authorized(roles, resource_name, request.method):
                return auth.authenticate()
        return f(*args, **kwargs)
    return decorated
return fdec

如你所见,我添加了一个条件:if isinstance(roles,str) 我们的想法是,当您将字符串放入allowed_roles而不是list时,意味着您指向此项目中的字段,该字段包含用户列表。例如,我有下一个方案和组的定义:

definition = {
    'url': 'groups',
    'item_title': 'group',
    # only admins and apps are allowed to consume this endpoint
    'cache_control': '',
    'cache_expires': 0,
    'id_field': 'url',
    'schema': _schema,
    'allowed_item_roles': 'users',
    'additional_lookup': {
        'url': 'regex("[\w]+")',     # to be unique
        'field': 'url',
    },
}

_schema = {
    'name': required_string,  # group name
    'url': unique_string,       # group url - unique id
    'users': {                  # list of users, who registered for this group
        'type': 'list',
        'scheme': embedded_object('accounts')
    },
    'items': {                  # list of items in the group
        'type': 'list',
        'scheme': embedded_object('items'),
    },
    'owner': embedded_object('accounts'),
    'secret': {'type': 'string'}

}

因此,您可以看到我有一个用户列表,这是我帐户的嵌入对象。下一步是更新角色身份验证。现在看起来应该是:

def check_auth(self, token, allowed_roles, resource, method):
    accounts = app.data.driver.db['accounts']
    lookup = {'token': token}
    if allowed_roles:
        # only retrieve a user if his roles match ``allowed_roles``
        lookup['username'] = {'$in': allowed_roles}
    account = accounts.find_one(lookup)
    if account and 'username' in account:
        self.set_request_auth_value(account['username'])
    if account:
        self.request_auth_value = account['username']
    return account is not None

因此它检查用户名是否在允许的角色中。最后一步是更新EVE中的flaskapp.py以支持allowed_roles中的字符串

def validate_roles(self, directive, candidate, resource):
    """ Validates that user role directives are syntactically and formally
    adeguate.

    :param directive: either 'allowed_[read_|write_]roles' or
                      'allow_item_[read_|write_]roles'.
    :param candidate: the candidate setting to be validated.
    :param resource: name of the resource to which the candidate settings
                     refer to.

    .. versionadded:: 0.0.4
    """
    roles = candidate[directive]
    if not (isinstance(roles, list) or isinstance(roles, str)):
        raise ConfigException("'%s' must be list"
                              "[%s]." % (directive, resource))

无论如何,它仍然是一种解决方法,我不确定当每个项目有数千个用户时它会快速可靠地工作,但是对于少量用户来说它是有效的。

希望它会有所帮助

答案 1 :(得分:1)

用户受限资源访问本质上是一种机制,用于透明地存储创建文档的用户的ID以及文档本身。当用户返回端点时,他只能看到/编辑自己的文档。你如何分配多个"所有者"存储时的文件?

你有没有看过Role Based Access Control?尽管在端点(非文档)级别,它仍然可以满足您的要求。