Authors: | Chris McDonough
Agendaless Consulting |
---|---|
Date: | 2013/03/16 (PyCon 2013) |
Code-heavy talk.You're encouraged to obtain code samples by snagging them from https://github.com/mcdonc/bikes or you can follow along online from there.
Evolve an application through no-security to too-much-security.
We'd like to be able to defer thinking about security at all in the initial stages of our project.
Although it's less understandable than ad-hoc imperative code, for larger projects, making security mostly declarative is useful. Declarative stuff means fewer conditions; conditions are where bugs live.
"Global" security: "Fred can delete blog posts", "Authenticated users can delete blog posts".
"Object-level" security: "Fred can delete this blog post, but not that blog post". AKA "row-level security" in SQL-based systems.
Principal: a user or group. Often a string. A single real person is usually associated with several principals (e.g. Fred might be represented by "fred", "Authenticated", "Everyone", and "group:admins").
Permission: a unique string representing an action, usually a verb. "delete", "read", "edit", etc.
We're going to follow code from here on in.
Michael Merickel's Pyramid Auth Demo:
michael.merickel.org/projects/pyramid_auth_demo/