Python 正在绕过金字塔授权
我刚刚根据为我的金字塔应用程序添加了授权。此时,应用程序仅显示信息 我还将从MySQL获取登录信息,因此我实现了类似的功能 然而,它并没有发挥应有的作用,我不知道如何修复它: 注销后,只需输入目标页面URL即可绕过整个登录。在我看来,它并没有“忘记”登录。当我直接输入url时,它也不会重定向到登录页面 这是我的Python 正在绕过金字塔授权,python,mysql,authentication,pyramid,Python,Mysql,Authentication,Pyramid,我刚刚根据为我的金字塔应用程序添加了授权。此时,应用程序仅显示信息 我还将从MySQL获取登录信息,因此我实现了类似的功能 然而,它并没有发挥应有的作用,我不知道如何修复它: 注销后,只需输入目标页面URL即可绕过整个登录。在我看来,它并没有“忘记”登录。当我直接输入url时,它也不会重定向到登录页面 这是我的视图。py: 目标页面: @view_config(route_name='monitor', renderer='monitor:templates/monitor.m
视图。py:@view_config(route_name='monitor',
renderer='monitor:templates/monitor.mak',
permission='view'
)
def monitor(request):
oEntry_Logins = DBSession.query(Login).order_by(Login.id)
oEntry_Alerts = DBSession.query(Alert).order_by(Alert.id)
return {
'oEntry_Logins' : oEntry_Logins,
'oEntry_Alerts' : oEntry_Alerts,
'logged_in' : request.authenticated_userid,
}
@view_config(route_name='login', renderer='templates/login.pt')
@forbidden_view_config(renderer='templates/login.pt')
def login(request):
login_url = request.route_url('login')
referrer = request.url
if referrer == login_url:
referrer = '/' # never use the login form itself as came_from
came_from = request.params.get('came_from', referrer)
message = ''
login = ''
password = ''
if 'form.submitted' in request.params:
login = request.params['login']
password = request.params['password']
user = DBSession.query(User).filter(login==User.name).filter(password==User.password).count() #DBSession
if(user != 0): #DBSession
headers = remember(request, login)
return HTTPFound(location = came_from,
headers = headers)
message = 'Failed login'
return dict(
message = message,
url = request.application_url + '/login',
came_from = came_from,
login = login,
password = password,
)
#logout view
@view_config(route_name='logout')
def logout(self):
request = self.request
headers = forget(request)
return HTTPFound(location = request.route_url('login'),
headers = headers)
from .models import (
DBSession,
User,
)
def groupfinder(userid, request):
session = DBSession()
for instance in session.query(User).filter(User.name==userid):
group = 'group:' #all are simply part of the same group
lsth = {'userid':[group]}
return lsth.get ('userid')
@view_config(route_name='monitor',
renderer='monitor:templates/monitor.mak',
permission='view'
)
def monitor(request):
oEntry_Logins = DBSession.query(Login).order_by(Login.id)
oEntry_Alerts = DBSession.query(Alert).order_by(Alert.id)
return {
'oEntry_Logins' : oEntry_Logins,
'oEntry_Alerts' : oEntry_Alerts,
'logged_in' : request.authenticated_userid,
}
@view_config(route_name='login', renderer='templates/login.pt')
@forbidden_view_config(renderer='templates/login.pt')
def login(request):
login_url = request.route_url('login')
referrer = request.url
if referrer == login_url:
referrer = '/' # never use the login form itself as came_from
came_from = request.params.get('came_from', referrer)
message = ''
login = ''
password = ''
if 'form.submitted' in request.params:
login = request.params['login']
password = request.params['password']
user = DBSession.query(User).filter(login==User.name).filter(password==User.password).count() #DBSession
if(user != 0): #DBSession
headers = remember(request, login)
return HTTPFound(location = came_from,
headers = headers)
message = 'Failed login'
return dict(
message = message,
url = request.application_url + '/login',
came_from = came_from,
login = login,
password = password,
)
#logout view
@view_config(route_name='logout')
def logout(self):
request = self.request
headers = forget(request)
return HTTPFound(location = request.route_url('login'),
headers = headers)
from .models import (
DBSession,
User,
)
def groupfinder(userid, request):
session = DBSession()
for instance in session.query(User).filter(User.name==userid):
group = 'group:' #all are simply part of the same group
lsth = {'userid':[group]}
return lsth.get ('userid')
...
class RootFactory(object):
__acl__ = [ (Allow, Everyone, 'view'),
(Allow, 'group:editors', 'edit') ]
def __init__(self, request):
pass
@view_config(route_name='monitor',
renderer='monitor:templates/monitor.mak',
permission='view'
)
def monitor(request):
oEntry_Logins = DBSession.query(Login).order_by(Login.id)
oEntry_Alerts = DBSession.query(Alert).order_by(Alert.id)
return {
'oEntry_Logins' : oEntry_Logins,
'oEntry_Alerts' : oEntry_Alerts,
'logged_in' : request.authenticated_userid,
}
@view_config(route_name='login', renderer='templates/login.pt')
@forbidden_view_config(renderer='templates/login.pt')
def login(request):
login_url = request.route_url('login')
referrer = request.url
if referrer == login_url:
referrer = '/' # never use the login form itself as came_from
came_from = request.params.get('came_from', referrer)
message = ''
login = ''
password = ''
if 'form.submitted' in request.params:
login = request.params['login']
password = request.params['password']
user = DBSession.query(User).filter(login==User.name).filter(password==User.password).count() #DBSession
if(user != 0): #DBSession
headers = remember(request, login)
return HTTPFound(location = came_from,
headers = headers)
message = 'Failed login'
return dict(
message = message,
url = request.application_url + '/login',
came_from = came_from,
login = login,
password = password,
)
#logout view
@view_config(route_name='logout')
def logout(self):
request = self.request
headers = forget(request)
return HTTPFound(location = request.route_url('login'),
headers = headers)
from .models import (
DBSession,
User,
)
def groupfinder(userid, request):
session = DBSession()
for instance in session.query(User).filter(User.name==userid):
group = 'group:' #all are simply part of the same group
lsth = {'userid':[group]}
return lsth.get ('userid')
如何使此代码正常工作?然后再提出一个请求-您也可以发布您的
groupfinderpermission='view'所有人都是开放的。如果将其更改为permission='edit'
,则它将仅对“editors”组的成员可用,但这也取决于groupfinder()返回的内容
或者,我认为如果您使用(允许,经过身份验证的,'edit')
,将您的权限更改为'edit',并且它只允许您在登录时访问它。您可能需要将pyramid.security import Authenticated中的添加到您的导入语句中。您的ACL列表是什么样子的?“查看”权限是否对所有人开放,还是仅限于经过身份验证的用户?最后,如果你在“匿名模式”下打开一个新的浏览器窗口并转到目标页面,你会被重定向到那里的登录还是直接转到该页面?它会直接转到该页面,似乎没有任何东西被重定向。也许是我想象它重定向了。我想这对每个人都是开放的,检查最新的问题。哦,你是wizzard!Groupfinder被添加到问题中。目标页面现在重定向到私人浏览中的登录页面,登录后直接跳到右侧页面。注销也做它现在应该做的事情。