[mod_python] Access checking against another path

Graham Dumpleton graham.dumpleton at gmail.com
Mon Apr 30 21:32:35 EDT 2007


On 01/05/07, Roger Binns <rogerb at rogerbinns.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Graham Dumpleton wrote:
> > Note that when using req.internal_redirect(), that called resource
> > then effectively generates the complete response. If you want the
> > output of the sub request to be included as a subcomponent of HTML of
> > parent, then you would really need to do a Python import to get access
> > to Python code for your sub handler and invoke direct as Python code.
>
> I still don't see how this helps me.  It is closer, but doesn't solve
> the fundamental problem of wanting to check the access control.  My
> handler code for /admin would look something like this:
>
> def handler(req):
>   print "Hello world"
>
>   # I can't see how to do the next two lines which could have
>   # different permissions
>   ... check credentials in req against "/api/object/list"
>   ... check credentials in req against "/api/object3/delete"
>
>   # The next two could be done by calling the code that
>   # implements /api directly (or playing with internal_redirect)
>   items=request("/api/object/list")
>   request("/api/%s/delete" % (items[3],))
>
>   print "more output saying item3 was deleted"

What type of authentication is being used? Is it 'Basic' for AuthType
or something entirely different?

The problem is that the way you are doing it is more or less
circumventing Apache's normal authentication mechanisms. Even if one
had access to the full Apache C API am not sure you could do it in a
way that would be seen as being correct for the way Apache works.

The only way I could conceive of you being able to do it then would be
using a session/cookie based mechanism as other person suggested, with
concept of user roles whereby user who hasn't logged in through web
form doesn't have rights to do stuff. Ie., the sub handlers when
called as Python objects would check what role session has and reject
call if not required rights.

Graham


More information about the Mod_python mailing list