Overview
Both AuthKit and TurboGears Identity perform both authentication and authorization.
TurboGears Identity also handles storing the identity (eg. turbogears.identity.saprovider).
Authorization
Components and naming
In both, authorization is roughly broken up into two parts - a set of functions that say that authorization should occur (authorizing functions), and a set of objects that describe what sort of authorization is required (authorization conditions).
In AuthKit, the authorizing functions are authkit.authorize.middleware, authkit.pylons_adapter.authorize (a decorator), authkit.pylons_adapter.authorize_request (raises an exception on failure), and authkit.pylons_adapter.authorized (returns False on failure).
In TurboGears, the authorizing functions are turbogears.identity.conditions.require (a decorator), turbogears.identity.conditions.SecureResource (a base class for controllers that checks the 'require' attribute for a Condition before allowing access to object attributes via _getattribute_), and turbogears.identity.conditions.SecureObject (a wrapper around an object that will check the given 'require' parameter for a Condition before allowing access to the object).
In AuthKit, the authorization conditions are called "Permissions", and in TurboGears, they are called "Conditions".
(nbm: I much prefer the term "Condition", since "Permission" doesn't seem to match the idea of "if from this host" or "if in this group.)
Permission/Condition comparison table
| AuthKit Permission |
Description |
TurboGears Identity Condition |
| authkit.permissions.UserIn |
Ensures the name of the user is in a given list of users.
UserIn(['admin', 'root'])
|
No comparable condition |
| authkit.permissions.Exists |
Ensures that a given key is in "environ" |
No comparable condition |
| authkit.permissions.And |
Checks that all given Permissions are true
All(UserIn(['admin', 'root']), Exists('REMOTE_USER'))
|
turbogears.identity.conditions.All |
| authkit.permissions.RemoteUser |
Checks that the REMOTE_USER variable is set in "environ"
RemoteUser(accept_empty=False)
|
turbogears.identity.conditions.not_anonymous |
| authkit.permissions.HasAuthKitRole |
Checks that the user named in REMOTE_USER has the given "role" |
turbogears.identity.conditions.has_permission |
| authkit.permissions.HasAuthKitGroup |
Checks that the user named in REMOTE_USER is in the given group
HasAuthKitGroup('friends')
|
turbogears.identity.conditions.in_group |
| authkit.permissions.ValidAuthKitUser |
Checks that the user named in REMOTE_USER is in the user API |
No comparable condition |
| No comparable permission |
Checks if any in a list of conditions succeeds
Any(from_host("127.0.0.1"), in_group('admin'))
|
turbogears.identity.conditions.Any |
| No comparable permission |
Checks if the user is in all of the given groups
in_all_groups('admin', 'users', 'friends')
|
turbogears.identity.conditions.in_all_groups |
| No comparable permission |
Checks if the user is in any of the given groups
in_any_groups('admin', 'users', 'friends')
|
turbogears.identity.conditions.in_any_groups |
| No comparable permission |
Checks if the user has all of the given permissions
has_all_permissions('read', 'write', 'delete')
|
turbogears.identity.conditions.has_all_permissions |
| No comparable permission |
Checks if the user has any of the given permissions
has_any_permissions('read', 'write', 'delete')
|
turbogears.identity.conditions.has_any_permissions |
| No comparable permission |
Checks if the user is coming from a given host |
turbogears.identity.conditions.from_host |
| No comparable permission |
Checks if the user is coming from one of the given hosts
from_any_host(['127.0.0.1', '10.11.12.13'])
|
turbogears.identity.conditions.from_any_host |
