def _check_security(self): requirement = getattr(self, 'allow_only', None) if requirement is None: return True if hasattr(requirement, 'predicate'): # It is a full requirement, let it build the response requirement._check_authorization() return True # It is directly a predicate, build the response ourselves predicate = requirement try: predicate.check_authorization(tg.request.environ) except NotAuthorizedError as e: reason = unicode_text(e) if hasattr(self, '_failed_authorization'): # Should shortcircuit the rest, but if not we will still # deny authorization self._failed_authorization(reason) if not_anonymous().is_met(tg.request.environ): # The user is authenticated but not allowed. code = 403 status = 'error' else: # The user has not been not authenticated. code = 401 status = 'warning' tg.response.status = code flash(reason, status=status) abort(code, comment=reason)
def default_denial_handler(self, reason): """Authorization denial handler for protectors.""" status = 'warning' if response.status_int == 401 else 'error' if not self.smart_denial: flash(reason, status=status) else: if response.content_type not in ['application/json', 'text/xml']: flash(reason, status=status) abort(response.status_int, reason)
def default_denial_handler(self, reason): """Authorization denial handler for protectors.""" passthrough_abort = False if self.smart_denial: response_type = response.content_type or request.response_type if response_type in self.smart_denial: # It's an API response, use a pass-through abort passthrough_abort = True if response_type == 'application/json': passthrough_abort = 'json' if passthrough_abort is False: # Plain HTML page status = 'warning' if response.status_int == 401 else 'error' flash(reason, status=status) abort(response.status_int, reason, passthrough=passthrough_abort)
def default_denial_handler(self, reason): # Add code here if we have to hide 401 errors (security reasons) abort(response.status_int, reason, passthrough='json')
def _failed_authorization(self, reason): # Pay first! abort(402)
def passthrough_explicit(self): request.disable_auth_challenger() abort(403)
def passthrough_abort(self): abort(403, passthrough='json')