E-mail
Overview
Both AuthKit and TurboGears Identity perform both authentication and authorization.
TurboGears Identity also handles storing the identity (eg. turbogears.identity.saprovider).
Authorization
Components and naming
In both, authorization is roughly broken up into two parts - a set of functions that say that authorization should occur (authorizing functions), and a set of objects that describe what sort of authorization is required (authorization conditions).
In AuthKit, the authorizing functions are authkit.authorize.middleware, authkit.pylons_adapter.authorize (a decorator), authkit.pylons_adapter.authorize_request (raises an exception on failure), and authkit.pylons_adapter.authorized (returns False on failure).
In TurboGears, the authorizing functions are turbogears.identity.conditions.require (a decorator), turbogears.identity.conditions.SecureResource (a base class for controllers that checks the 'require' attribute for a Condition before allowing access to object attributes via _getattribute_), and turbogears.identity.conditions.SecureObject (a wrapper around an object that will check the given 'require' parameter for a Condition before allowing access to the object).
In AuthKit, the authorization conditions are called "Permissions", and in TurboGears, they are called "Conditions".
(nbm: I much prefer the term "Condition", since "Permission" doesn't seem to match the idea of "if from this host" or "if in this group.)
Permission/Condition comparison table
| AuthKit Permission | Description | TurboGears Identity Condition |
|---|---|---|
| authkit.permissions.UserIn | Ensures the name of the user is in a given list of users. UserIn(['admin', 'root']) |
No comparable condition |
| authkit.permissions.Exists | Ensures that a given key is in "environ" Exists('REMOTE_USER')
|
No comparable condition |
| authkit.permissions.And | Checks that all given Permissions are true All(UserIn(['admin', 'root']), Exists('REMOTE_USER'))
|
turbogears.identity.conditions.All |
| authkit.permissions.RemoteUser | Checks that the REMOTE_USER variable is set in "environ" RemoteUser(accept_empty=False) |
turbogears.identity.conditions.not_anonymous |
| authkit.permissions.HasAuthKitRole | Checks that the user named in REMOTE_USER has the given "role" HasAuthKitRole('admin')
|
turbogears.identity.conditions.has_permission |
| authkit.permissions.HasAuthKitGroup | Checks that the user named in REMOTE_USER is in the given group HasAuthKitGroup('friends')
|
turbogears.identity.conditions.in_group |
| authkit.permissions.ValidAuthKitUser | Checks that the user named in REMOTE_USER is in the user API ValidAuthKitUser() |
No comparable condition |
| No comparable permission | Checks if any in a list of conditions succeeds Any(from_host("127.0.0.1"), in_group('admin'))
|
turbogears.identity.conditions.Any |
| No comparable permission | Checks if the user is in all of the given groups in_all_groups('admin', 'users', 'friends')
|
turbogears.identity.conditions.in_all_groups |
| No comparable permission | Checks if the user is in any of the given groups in_any_groups('admin', 'users', 'friends')
|
turbogears.identity.conditions.in_any_groups |
| No comparable permission | Checks if the user has all of the given permissions has_all_permissions('read', 'write', 'delete')
|
turbogears.identity.conditions.has_all_permissions |
| No comparable permission | Checks if the user has any of the given permissions has_any_permissions('read', 'write', 'delete')
|
turbogears.identity.conditions.has_any_permissions |
| No comparable permission | Checks if the user is coming from a given host from_host('127.0.0.1')
|
turbogears.identity.conditions.from_host |
| No comparable permission | Checks if the user is coming from one of the given hosts from_any_host(['127.0.0.1', '10.11.12.13']) |
turbogears.identity.conditions.from_any_host |