I'm trying to add authorization to my Pyramid app but it looks like it's getting completely ignored. Since everyone is denied the 'view' permission, why am I still able to view the 'home' route?
security.py:
from pyramid.security import Allow, Everyone, Deny, Authenticated
from .models import Roles
def groupfinder(userid, request):
print('userid: %s' % userid)
return None
class RootFactory(object):
__acl__ = [(Deny, Everyone, 'view')]
def __init__(self, request):
pass
__init__.py:
from .security import groupfinder
from pyramid.authentication import AuthTktAuthenticationPolicy
from pyramid.authorization import ACLAuthorizationPolicy
from pyramid.config import Configurator
from sqlalchemy import engine_from_config
from .models import (
DBSession,
Base,
)
def main(global_config, **settings):
""" This function returns a Pyramid WSGI application.
"""
engine = engine_from_config(settings, 'sqlalchemy.')
DBSession.configure(bind=engine)
Base.metadata.bind = engine
authn_policy = AuthTktAuthenticationPolicy(secret='secret', callback=groupfinder, hashalg='sha512')
authz_policy = ACLAuthorizationPolicy()
config = Configurator(settings=settings, root_factory='vip_backend.security.RootFactory')
config.set_authentication_policy(authn_policy)
config.set_authorization_policy(authz_policy)
config = Configurator(settings=settings)
config.include('pyramid_mako')
config.add_static_view('static', 'static', cache_max_age=3600)
config.add_route('home', '/')
config.scan()
return config.make_wsgi_app()
views.py:
from pyramid.response import Response
from pyramid.view import view_config
@view_config(route_name='home', permission='view')
def home(request):
return Response(body='You are here.')