[mod_python] Re: more callable__auth__

Joshua Ginsberg listspam at flowtheory.net
Sat Feb 25 12:19:21 EST 2006


Interesting essay. If you're interested I've posted a rebuttal for the 
list administrators' consideration:

http://starboard.flowtheory.net/blog/?q=node/170

-jag

On Feb 25, 2006, at 3:32 AM, Nicolas Lehuen wrote:

> That is called "Reply-To Munging" and is considered harmful by some.
>
> http://www.unicom.com/pw/reply-to-harmful.html
>
> Regards,
> Nicolas
>
> 2006/2/25, Joshua Ginsberg <listspam at flowtheory.net>:
>> Wow -- I'm the administrivia whore today... sorry about that...
>>
>> Why don't we configure the list to have the reply-to be back to the
>> list? :-) I can't tell you the number of times I hit reply instead of
>> remembering to hit "Reply All", a button which I generally consider to
>> be the brainchild of Satan.
>>
>> -jag
>>
>> On Feb 24, 2006, at 7:59 PM, Graham Dumpleton wrote:
>>
>>> Please keep followups on mailing list. :-(
>>>
>>> On 25/02/2006, at 11:28 AM, Robert Thomas Davis wrote:
>>>
>>>> Graham
>>>>
>>>> ...finally got everything up and running with the new
>>>> version :)  Now I get a NameError exception on the
>>>> call to validate_user (which, at least, is a step in
>>>> the right direction)!!
>>>>
>>>> Do you have any suggestions as to what would be a
>>>> better way to structure this so I don't encounter that
>>>> issue?  Basically what I am trying to accomplish is
>>>> the following...
>>>>
>>>> There will be more defs in index.py (like the devices
>>>> def) whose contents I want to protect.  I want to
>>>> ensure that the user will have to enter their
>>>> user/passwd anytime attempts are made to access these
>>>> functions (unless the current session is still valid
>>>> of course).  After reading that article you references
>>>> it seems I would need to move the validate_user
>>>> function to an outside module and then import it
>>>> inside the def __auth__()??
>>>
>>> Personally I wouldn't use the mod_python.publisher authentication,
>>> but that is a topic for another time.
>>>
>>> If you must use the mod_python.publisher support for basic
>>> authentication,
>>> then use a wrapper class to do it. If you have Python 2.4, you could
>>> even
>>> use decorators for the purpose to make it a really clean solution.
>>>
>>> Basic code is:
>>>
>>>   from mod_python import apache
>>>
>>>   class Restricted:
>>>     def __init__(self,method,realm="Restricted Access"):
>>>       self.__call__ = method
>>>       self.__auth_realm__ = realm
>>>     def __auth__(self,req,user,password):
>>>       apache.log_error("__auth__")
>>>       return user == "mickey" and password == "mouse"
>>>
>>>   def index(req):
>>>     return "index"
>>>
>>>   def page1(req):
>>>     return "page1"
>>>
>>>   def page2(req):
>>>     return "page2"
>>>
>>>   page2 = Restricted(page2)
>>>
>>> The "Restricted" class acts as a wrapper around the published 
>>> function.
>>> The auth functions are actually in the wrapper class. Because the
>>> wrapper
>>> class is at global scope, you don't have the problem with nested
>>> functions
>>> that you are seeing.
>>>
>>> I don't have Python 2.4, so can't give you a solution which uses
>>> decorators,
>>> but I am sure that someone else on the mailing list who has and
>>> understands
>>> decorators could provide so code pretty quick. The ideas with
>>> decorators
>>> is you should be able to setup the code so all you need to do is
>>> something
>>> like:
>>>
>>>   def index(req):
>>>     return "index"
>>>
>>>   def page1(req):
>>>     return "page1"
>>>
>>>   @restricted
>>>   def page2(req):
>>>     return "page2"
>>>
>>> The decorator would do the magic of wrapping the function for you
>>> automatically.
>>> To me this would be a really clean solution, although possibly
>>> restricted to use
>>> of functions.
>>>
>>> Anyone want to step up and provide a decorator solution for this?
>>>
>>>> Also, do any RPMs exist for these more recent versions
>>>> of mod_python OR is there a documented procedure for
>>>> building a mod_python RPM from the recent releases?
>>>
>>> I imagine someone will put together an RPM for 3.2.7/3.2.8
>>> at some stage. This is usually done by someone attached to
>>> the maintainers of the Linux distribution and not the mod_python
>>> folks though.
>>>
>>> Graham
>>>
>>>> --- Graham Dumpleton <grahamd at dscpl.com.au> wrote:
>>>>
>>>>> Robert Thomas Davis wrote ..
>>>>>> Graham
>>>>>>
>>>>>> Sorry...your replies were be sent to the "bulk"
>>>>>> folder...glad I checked it before just deleting
>>>>> all!
>>>>>>
>>>>>> I am using mod_python 3.1.3 with apache 2.0.53 on
>>>>>> Fedora Core 3.
>>>>>
>>>>> Any chance you can upgrade to mod_python 3.2.7? I
>>>>> really can't find
>>>>> any problem with the basic structure of what you are
>>>>> doing, but there
>>>>> have been fixes to publisher in 3.2.7 that may mean
>>>>> I am not seeing
>>>>> the problem.
>>>>>
>>>>>> The url I use to access the "devices" page (the
>>>>> one I
>>>>>> would like to protect) is
>>>>> http://localhost/devices.
>>>>>>
>>>>>> I do agree about having the info on the mailing
>>>>> list
>>>>>> so others could learn from it; maybe we can post
>>>>> the
>>>>>> results.
>>>>>
>>>>> The ongoing discussion is also useful, as the actual
>>>>> debugging process
>>>>> itself can be just as useful as the final result.
>>>>> Thus, use reply-all.
>>>>>
>>>>> Graham
>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> --- Graham Dumpleton <grahamd at dscpl.com.au> wrote:
>>>>>>
>>>>>>> BTW, I can't seem to find that you have ever
>>>>> said
>>>>>>> exactly which version
>>>>>>> of mod_python you are using. Are you using the
>>>>>>> latest version?
>>>>>>>
>>>>>>> Graham
>>>>>>>
>>>>>>> Graham Dumpleton wrote ..
>>>>>>>> Still generally prefer it to be on the mailing
>>>>>>> list as other people can
>>>>>>>> learn from it and it is in the mailing list
>>>>>>> archive as well, so people
>>>>>>>> down the track may find it as well and it may
>>>>>>> solve a problem for
>>>>>>>> them also.
>>>>>>>>
>>>>>>>> One more question. What URLs are you using to
>>>>>>> access the resources
>>>>>>>> so I can relate that properly to the Apache
>>>>>>> configuration and the
>>>>>>>> published functions in the file?
>>>>>>>>
>>>>>>>> Graham
>>>>>>>>
>>>>>>>> Robert Thomas Davis wrote ..
>>>>>>>>> Hell graham
>>>>>>>>>
>>>>>>>>> I really appreciate your help with
>>>>> this...and
>>>>>>> since
>>>>>>>>> you have been the only one responding I
>>>>> thought
>>>>>>> I
>>>>>>>>> might as well just mail you the files in
>>>>>>> question
>>>>>>>>> (index.py and httpd.conf, attached as a
>>>>> .tgz)
>>>>>>>>>
>>>>>>>>> The file index.py would normally live in the
>>>>>>>>> directory:
>>>>>>>>> /usr/local/lap/http/
>>>>>>>>>
>>>>>>>>> Based on your last reply I am wondering if
>>>>> it is
>>>>>>> my
>>>>>>>>> httpd.conf file that is setup incorrectly (i
>>>>> do
>>>>>>> not
>>>>>>>>> get the 500 error at all).  When the
>>>>> enclosed
>>>>>>> code
>>>>>>>>> gets executed it appears as though it skips
>>>>>>> right over
>>>>>>>>> the nested __auth__ fuction.  However, if
>>>>> that
>>>>>>>>> function is moved to the module scope
>>>>> (index.py)
>>>>>>> it
>>>>>>>>> always gets called and subsequently calls
>>>>> the
>>>>>>>>> validate_users function.
>>>>>>>>>
>>>>>>>>> Again...your help is much appreciated.
>>>>>>>>>
>>>>>>>>> Rob
>>>>>>>>
>>>>> _______________________________________________
>>>>>>>> Mod_python mailing list
>>>>>>>> Mod_python at modpython.org
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>>>>>>
>>>>>
>>>
>>> _______________________________________________
>>> Mod_python mailing list
>>> Mod_python at modpython.org
>>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>
>> _______________________________________________
>> Mod_python mailing list
>> Mod_python at modpython.org
>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>



More information about the Mod_python mailing list