The publisher handler provides simple ways to control access to modules and functions.
At every traversal step, the Publisher handler checks for presence of __auth__ and __access__ attributes (in this order), as well as __auth_realm__ attribute.
If __auth__ is found and it is callable, it will be called
with three arguments: the Request object, a string containing
the user name and a string containing the password. If the return
If __auth__ is a dictionary, then the user name will be matched against the key and the password against the value associated with this key. If the key and password do not match, HTTP_UNAUTHORIZED is returned. Note that this requires storing passwords as clear text in source code, which is not very secure.
__auth__ can also be a constant. In this case, if it is false
If there exists an
If __access__ is found and it is callable, it will be called
with two arguments: the Request object and a string containing
the user name. If the return value of
If __access__ is a list, then the user name will be matched against the list elements. If the user name is not in the list, HTTP_FORBIDDEN is returned.
Similarly to __auth__, __access__ can be a constant.
In the example below, only user "eggs" with password "spam"can access the
Here is the same functionality, but using an alternative technique:
Since functions cannot be assigned attributes, to protect a function,
Note that this technique will also work if
Note: In order for mod_python to access __auth__, the module containing it must first be imported. Therefore, any module-level code will get executed during the import even if __auth__ is false. To truly protect a module from being accessed, use other authentication mechanisms, e.g. the Apache
What is this????|