Skip to content

st4lk/acl_webapp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

62 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ACL async application

Application with permissions system (ACL). Built with python, tornado, mongodb, motor.

Build Status Coverage Status

Supports

  • python 2.7

Installation

Tools used

Description

Structure

Project has django-like structure: it contains 'applications'. Application has handlers, models, forms, etc.

Base modules

Base handlers module have ListHandler, DetailHandler, CreateHandler, DeleteHandler. They behave similiar to django ListView, DetailView and so on.

Base models module have BaseModel with common used methods. All models should subclass it.

Base forms contains adopted to tornado Form and ModelForm (subclasses of WTForms). ModelForm performs validation on its model and provide model object, if validation pass.

Permission system

Permissions are base on models. Each user has 'permissions' field, which has following structure:

permissions = {
    'model_name_1': ['read',],
    'model_name_2': ['read', 'write'],
    'model_name_3': ['read', 'write', 'delete'],
}

So user with such permissions can read objects of model_name_1, can read and write objects of model_name_2 and can read, write and delete objects of model_name_3. Permissions are checked in base handlers, so it is needed to subclass them. Example:

from base.handlers import ListHandler
from .models import NewsModel

class NewsListHandler(ListHandler):

    def initialize(self, **kwargs):
        super(NewsListHandler, self).initialize(**kwargs)
        self.model = NewsModel
        self.template_name = "news/list.html"

If it is needed to check additional permissions, it can be done by overriding corresponding methods of base handler. The easiest way is to provide it in get_additional_permissions method. For more complicated behaviour look at base handlers implementation.

Example, where to be able to delete 'news' object user must be also an author of this object (in addition to 'delete' permission):

from base.handlers import DeleteHandler
from .models import NewsModel

class NewsDeleteHandler(DeleteHandler):
    # ...

    @gen.coroutine
    def get_additional_permissions(self):
        if self.object is None:
            yield self.get_object()
        news = self.object
        raise gen.Return(news.author == self.current_user)

UserModel has default permissions, contained in DEFAULT_PERMISSIONS. When user is created, he has those default permissions.

Shortcut to change permissions from mongodb shell:

Set permissions to user with email="[email protected]" for model with name 'news'.

use acl_app
usr = db.accounts.findOne({_id: "[email protected]"})
// look his current permissions
usr.permissions
// set no permissions
usr.permissions['news'] = []
db.accounts.save(usr)
// set only read permissions
usr.permissions['news'] = ['read']
db.accounts.save(usr)
// set read, write, delete permissions
usr.permissions['news'] = ['read', 'write', 'delete']
db.accounts.save(usr)

About

Application with permissions system. Build with tornado, mongodb, motor

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published