Adding a CMS to Your Pyramid Web App Transcripts
Chapter: Redirects and the admin section
Lecture: Cleaner permission checks
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
If you look at this code, it looks pretty decent, right? We've got our index method and we're' validating the user, and we've got this.
0:07
Now it turns out that this is going to require checking permissions on many different places.
0:14
And I want to just show you a slightly better way We can write this If you prefer this over what I'm about to show you Just leave it. It works great
0:21
But what I would like to do is I would like to take the validation out of the function here
0:27
And I would like to put some kind of decorator like safe 'permissions.admin' or something like that
0:33
and put this up there and say. This entire function always, always, always requires that the user is an admin and put it up here like this
0:41
To me, it's a little easier to check the permissions air set this way, and you know this won't be here anymore. This will just be gone
0:47
It would just write the regular code, and because this decorator is up here, it's going to do the check
0:52
Turns out that that's pretty straightforward to write. Let's go over here and create a new file called permissions. Write a function called admin.
1:02
Now decorators are weird If you haven't written them before. So what we have to pass is a view function
1:10
We're gonna pass that in, and then what we're gonna do to create another function that adds some behavior than calls this view function and return that
1:18
So it's kind of him in line replacement of functions, this function that we're going to write
1:26
this checker method I don't know what you would call it checker function, It's going to have the same signature as the view function
1:33
Look over here, that is, It's going to take a request just like this And we can make this explicit or not. Just mostly this is for us to remember,
1:46
So in here we're going to return the value calling the view function, bypassing the request Let's write this really quick like so.
1:57
Then the goal of this, this decorator here, this admin thing is to just pass back the function,that's going to be called, not call it
2:05
Okay, so it passes it back, then Pyramid is gonna call this function, which is going to do some validation and then call this view in.
2:13
So this is where we add our validation. We're gonna need to check the user and again,
2:15
Using that view model that knows how to do all that magic is probably the easiest.
2:19
So gonna say view model base do our double control space to get the magic happening. Pass the request over
2:26
And we'll say 'if not vm.user or not vm.user.is_admin'. Then we're gonna do the same thing.
2:34
We're gonna raise an http forbidden like this import that we could give it a message like you must be an admin.
2:49
Something like that. You must be an admin to access the section and actually, this should work.
2:54
So we can come over here, hide that away. We have to import this there other than we should be golden, actually
3:01
So we're gonna go up here, put this decorator on here,
3:04
it's gonna take this function and replace it with this outer function that does the validation plus calling itself.
3:10
Let's give it a shot, we come over here. We have our admin section there and notice the admin thing here as well.
3:18
Here's a regular page. Still working here's an admin page allowing it. Why? Because my user is an admin. Let's go see.
3:27
Here we go. We already got that open. Let's go make me not an admin.
3:31
Push that to the database. Now, if I hit refresh, it should check on I'm no longer a user.
3:35
Well, first Let's see over here that my admin permission went away. See it? It's gone from here. If I refresh this, it should not let me in
3:43
And just like before, It doesn't. As many times as I want. No, no, no, you don't get to go in unless you're an admin.
3:50
Leave that to the database. Try one more time. Hey, look, I'm an admin, I'm in.
3:54
So this is this alternate model that I'm going to use, all the things that require admin access,
3:58
Or you could extend this for what other types of checks you want but if it requires admin access,
4:03
I'm gonna put this decorator on it rather than doing it throughout the rest of our CMS admin section.