[users at bb.net] Roles
Paulo Matos
pmatos at linki.tools
Fri Jul 7 10:05:23 UTC 2017
On 07/07/17 11:43, Pierre Tardy wrote:
>
>
> On Fri, Jul 7, 2017 at 11:30 AM Paulo Matos <pmatos at linki.tools> wrote:
>
>
>
> On 07/07/17 10:47, Pierre Tardy wrote:
> > Hi Paulo,
> >
> > This is not something that is supported by current code.
>
> By 'This' you mean disabling anonymous access?
>
> By this I mean using '*' in getRolesFromEmails.
>
> The design for people who need tight control like disabling anonymous
> access is more to use an authentication plugin that supports group (or
> create one for themselves)
Not sure if I understood what you meant but this seems to work well:
class RoleForDomain(util.RolesFromEmails):
def __init__(self, **kwargs):
super(util.RolesFromEmails, self).__init__()
self.domain_roles = {}
for role, domains in kwargs.items():
for domain in domains:
self.domain_roles.setdefault(domain, []).append(role)
def getRolesFromUser(self, userDetails):
if 'email' in userDetails:
email = userDetails['email']
edomain = re.search('@[a-zA-Z0-9_.]+', email).group()[1:]
if edomain in self.domain_roles:
roles = self.domain_roles[edomain]
return roles
return []
authz = util.Authz(
stringsMatcher=util.fnmatchStrMatcher,
allowRules=[
util.AnyEndpointMatcher(role="admin", defaultDeny=True),
util.AnyControlEndpointMatcher(role="admin"),
],
roleMatchers=[
RoleForDomain(admin=["matos-sorge.com"])
]
)
auth=util.UserPasswordAuth({'pmatos at matos-sorge.com': 'foobar'})
In this case if you are not logged in you won't see anything, but if you
login as pmatos at matos-sorge.com, you'll see everything. Not entirely
clear on how it works, but it does. What I can't understand is really
the endpoints bit which looks a bit complicated.
Would you be interested in a pull request with the code for RoleForDomain?
--
Paulo Matos
More information about the users
mailing list