Home/ Questions/Q 8655001
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T14:55:31+00:00

I have tables in DB with the same interface for view and edit them

  • 0

I have tables in DB with the same interface for view and edit them with Pyramid app. For example:

Example of route for view record of report table: /birdreport/report/871;

Example of route for edit record of report table: /birdreport/report/871/edit;

Each record of report table has field which contains user_id – this value is the same as returned by authenticated_userid function. It is clear for me how I can disable acces to edit by adding permission to view. But how I can enable access to edit view only for those users which userid presents in corresponding record?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can use the Pyramid authorization policy by defining __acl__() inside your Report model. For example:

    from sqlalchemy.orm import relationship, backref
from pyramid.security import Everyone, Allow

class Report(Base):
    # ...
    user_id = Column(Integer, ForeignKey('user.id'))
    # ...


    @property
    def __acl__(self):
        return [
            (Allow, Everyone, 'view'),
            (Allow, self.user_id, 'edit'),
        ]

    # this also works:
    #__acl__ = [
    #    (Allow, Everyone, 'view'),
    #    (Allow, self.user_id, 'edit'),
    #]

class User(Base):
    # ...
    reports = relationship('Report', backref='user')

    The __acl__() above will allow everyone to call your view view, but only the user related to Report to edit it.

    It’s likely that you haven’t had authentication policy or authorization policy enabled, to quote the documentation:

    Use the set_authorization_policy() method of the Configurator to enable an authorization policy.

    You must also enable an authentication policy in order to enable the authorization policy. This is because authorization, in general, depends upon authentication. Use the set_authentication_policy() and method during application setup to specify the authentication policy.

    from pyramid.config import Configurator
from pyramid.authentication import AuthTktAuthenticationPolicy
from pyramid.authorization import ACLAuthorizationPolicy
authentication_policy = AuthTktAuthenticationPolicy('seekrit')
authorization_policy = ACLAuthorizationPolicy()
config = Configurator()
config.set_authentication_policy(authentication_policy)
config.set_authorization_policy(authorization_policy)

    The above configuration enables a policy which compares the value of an “auth ticket” cookie passed in the request’s environment which contains a reference to a single principal against the principals present in any ACL found in the resource tree when attempting to call some view.

    While it is possible to mix and match different authentication and authorization policies, it is an error to configure a Pyramid application with an authentication policy but without the authorization policy or vice versa. If you do this, you’ll receive an error at application startup time.

    • 0