diff --git a/geoportal/c2cgeoportal_geoportal/lib/security.py b/geoportal/c2cgeoportal_geoportal/lib/security.py new file mode 100644 index 0000000000..8a3d3b0e6b --- /dev/null +++ b/geoportal/c2cgeoportal_geoportal/lib/security.py @@ -0,0 +1,50 @@ +from pyramid.authentication import AuthTktCookieHelper +from pyramid.authorization import ACLHelper, Authenticated, Everyone +from pyramid.interfaces import ISecurityPolicy + +from c2cgeoportal_geoportal.resources import defaultgroupsfinder +from jinja2.runtime import identity +from macaroonbakery.bakery._identity import Identity + + +class SecurityPolicy(ISecurityPolicy): + def __init__( + self, + identity_providers: List([Callable[pyramid.request.request], Dict[str, Any]]), + groupfinder: Callable[[str, pyramid.request.Request], List[str]], + ): + self.groupfinder = groupfinder or defaultgroupsfinder + self.helper = AuthTktCookieHelper(secret) + + def identity(self, request: pyramid.request.Request) -> Dict[str, Any]: + for identity_provider in [self.helper.identify, self.identity_providers]: + identity = identity_provider(request) + if identity is not None: + return Identity + return None + + def authenticated_userid(self, request: pyramid.request.Request): + identity = request.identity + if identity is not None: + return identity['userid'] + + def permits( + self, + request: pyramid.request.Request, + context, + permission, + ): + identity = request.identity + principals = set([Everyone]) + if identity is not None: + principals.add(Authenticated) + principals.add(identity['userid']) + user = request.user + principals.update(self.groupfinder(user)) + return ACLHelper().permits(context, principals, permission) + + def remember(self, request, userid, **kw): + return self.helper.remember(request, userid, **kw) + + def forget(self, request, **kw): + return self.helper.forget(request, **kw)