Have you ever created a Web application? If so, it’s very likely that you have at one time or another faced “the security problem”; whether to create and maintain a homegrown security sub-system, or to learn to use framework-specific security mechanisms (which may not be as flexible as you wish).

Securing Web applications shouldn’t be a problem. This article explores a highly extensible alternative which you can learn once and use in arbitrary applications, regardless of the Web framework used (if any!).

Application security is a broad field within software development, covering topics ranging from low-level network transmission security and encryption, up to application-level data security and input validation. In this article, we will focus on two of the most basic elements of application security: authentication and authorization.

Authentication vs. Authorization

Even experienced software developers often confuse these two related but not equivalent terms, so we’ll start by explaining what they are.

Authentication, often shortened as “authn”, is what you do when you check the credentials provided by the user to verify that he’s really who he claims to be. The most widely-used credentials are a set made up of a user identifier (like user name, or email address) and a password.

Authorization, often shortened as “authz”, is what you do when you check whether the user has permission to make the request or perform the transaction he’s currently making. Most of the time this depends on who the subject is, but it may also depend on what is requested, when it is requested, and/or how it is requested.

A common shortening for “authentication and authorization” is “auth”.

And there’s one more related term that comes into play: Identification, which is to check whether he was successfully authenticated previously to avoid challenging him again unnecessarily.

Authentication, identification and authorization in Python Web applications

Web applications powered by Python may take advantage of repoze.who to handle authentication and identification, and repoze.what to handle authorization. Both are security frameworks that can be used on top of your application, or integrated with your application’s Web framework if you are using one.

You can use them as long as your application is WSGI-compliant. WSGI is a Python standard which defines an interface between HTTP servers and Python applications, similar to CGI, which eases the writing of cross Web server libraries (which can be framework-independent) and applications.

The WSGI standard mandates the availability of a Python dictionary, referred to as the “WSGI environment”. This dictionary stores CGI environment variables, as well as others specific to the WSGI standard; other components used by your application may also use the WSGI environment to store data.

Any framework or raw application that exposes the WSGI environment dictionary can use both repoze.who and repoze.what. The popular WSGI-compliant frameworks CherryPy, Django, Pylons, TurboGears and Werkzeug expose this variable.

How repoze.who and repoze.what work

Figure 1 illustrates how a typical request is processed in WSGI and when repoze.who comes into play.

Figure 1

repoze.who is a WSGI middleware. A WSGI middleware is a layer that wraps your application, processing each request before your application does. WSGI middleware can also post-process your application’s response. WSGI applications can have zero or more of these middleware layers.

As shown in Figure 2, when a request is made and before it reaches your application, repoze.who will try to check if the user is already logged in or if he’s currently trying to log in. If the user is trying to log in and has supplied the right credentials, authentication will succeed and the user will be “remembered” in future requests by default. The request is then passed to the next WSGI middleware, if any, and eventually on to your WSGI application.

Figure 2

The following fully customizable components can be used at this stage:

• The request classifier: It matters if the agent is a browser, a Subversion client or a library which access a Web Service; you wouldn’t want to display a login form if the agent is a Subversion client, for example. Thus, this component classifies the current request so that only the appropriate plugins (out of your pre-selected ones) are used.
• Identifier plugins: These are the components that “identify” the user. That is, they are able to tell if the user is already logged from in a previous request, or if he is trying to log in in the current request. When authentication succeeds, these plugins are in charge of “remembering” the user for future requests (e.g., by defining a session cookie). Likewise, when a challenge is required, they “forget” the user (discarding a session cookie).
• Authenticator plugins: When the user is trying to log in in the current request, these components verify the user-supplied credentials (such as username and password) against a database, LDAP server, .htaccess file, etc.
• Metadata provider plugins: If the user was authenticated, metadata providers can load data about the current user (email address, full name, etc.) so that such data is ready to be used by your application.

After your application issues a response and before it reaches the HTTP server, as shown in Figure 3, repoze.who will check if a challenge is necessary; that is, ask the user in some way to identify himself. If so and the user was previously authenticated, the previous authentication will be forgotten, and the related session cookie will be discarded. After the challenge is complete, your application’s response will be replaced with a new response which will allow the user to log in (for example, sending a “WWW-Authenticate” header or displaying a login form).

repoze.who’s response-handling functionality is also driven by customizable components:

• The challenge decider: This is the component which will determine whether a challenge is required. The default challenge decider will order a challenge if and only if the response’s HTTP status code is 401.
• Challenger plugins: When a challenge is required, those challenger plugins which support the current request type will be run until the first of them returns a valid response.

repoze.who may seem hard to use at first sight, with all its components and terminology; so much flexibility comes at the cost of being a little hard to understand. But one of the goals of this article is to help people who had never heard of repoze.who to deal with basic and advanced authentication settings.

And how does repoze.what work?

repoze.what is mostly used inside of your application, where you define the access rules that must be met for a given routine to be performed.

Access rules in repoze.what are made of atomic units called “predicate checkers”, re-usable objects that check whether a given condition is met. Predicate checkers can be single or compound to form complex access rules. For example, a single condition (or predicate) might be “The user is not anonymous”, while a compound predicate could be “The user is not anonymous and their IP address is X.X.X.X”. You can write your own predicate checkers, usually in just a few lines of code.

repoze.what has built-in support for the widely-used authorization pattern whereby you assign groups to your users and then grant permissions to such groups; it ships with a comprehensive set of checkers for the relevant predicates (e.g., “The current user belongs to the ‘directors’ group”, “The current user is allowed to edit user accounts”). If you use this authorization pattern, the groups and permissions for the authenticated user will be loaded by a repoze.who metadata provider; in repoze.what 1.1, they’ll be loaded on demand by repoze.what itself, so you wouldn’t need repoze.who. Nevertheless, it is entirely optional and you can use any authorization pattern that best suits your needs.

Predicate checkers allow you to control access based not only on who makes the request, but also on how the request is made and what exactly is requested. For example, if you have a blog application, you might use the simple predicate “The user is allowed to remove posts”, focusing on who the user is to control access to the post edition routine. Or you can have the more specific compound predicate “The user is allowed to remove posts, as long as the user is the post’s author”. This predicate focuses on both who makes the request and what is requested. You can have an even more complex access rule for the article edition routine, such as “The user is allowed to remove posts, as long as the user is the post’s author — except post #1 which nobody can remove”.

repoze.what 1.0.X supports only blacklist-based authorization, that is, authorization is granted unless explicitly denied. Whitelist-based authorization, in which authorization is denied unless explicitly granted, will be supported as of version 1.1 (under development as of this writing).

Creating a Web application protected with repoze.who and repoze.what

It’s time to go practical! We’re going to create a WSGI application powered by repoze.who and repoze.what.

I’ll use the TurboGears 2 Web Application framework to make this simple application, but after reading the article you should be able to put what you just learned into practice in other frameworks, or standalone applications.

(For the sake of demonstration, we will skip typical overhead features such as input validation, so we can focus the examples on the repoze.who and repose.what’s integration of authentication and authorization.)

Let’s get started!

We’re going to develop this application using an isolated Python environment using a rather famous utility called “virtualenv”. This is very handy because everything you install or remove won’t affect your system-wide Python environment. To install it, run:

easy_install virtualenv

You may need administration rights to install it, depending on where you install it.

Next, create an environment for our application and activate it; on Unix systems, the commands for this are:

virtualenv --no-site-packages appenv
source appenv/bin/activate

On Windows systems, enter the following in a directory whose path doesn’t contain spaces:

C:\Python25\python.exe "C:\Path-to-VE\virtualenv.py" appenv
C:\Path-to-newly-created-environment\Scripts\activate.bat

When you’re done and want to deactivate it, you should run the command “deactivate” on Unix systems. For Windows, use “C:\Path-to-newly-created-environment\Scripts\deactivate.bat”.

I’ve called my virtual environment “appenv”, but you can use any name you like.

For help installing virtualenv, you can check its documentation at http://pypi.python.org/pypi/virtualenv.

Now to install TurboGears 2:

easy_install -i http://www.turbogears.org/2.0/downloads/current/index tg.devtools

Generating an application

TurboGears allows you to start coding using a minimal application, so that you don’t have to start from scratch (unless you really want to). We’ll use just that minimal application so that we can get off to a quick start, which you can optionally download.

The Web application we’re going to create is a classifieds service, like craiglist.org or gumtree.com; for lack of imagination, I’ll call it “classifieds”. To start coding it from a minimal application, we’ll ask TurboGears to generate it with the following command:

paster quickstart classifieds

Then you’ll be asked a couple of questions. The first will ask you for the package name to be generated in this project; hit ENTER to accept “classifieds” as the default package name. The second question will ask if you need authentication and authorization features for this project, hit ENTER to accept the default answer of “yes”. By answering “yes” to the second question, repoze.who and repoze.what will be used in the application by default. Now switch to the application’s directory, install it in development mode and set it up:

cd classifieds
python setup.py develop
paster setup-app development.ini


We’re not going to start coding yet — I’d like you to try the generated application, so that you can see repoze.who and repoze.what in action. So, start the application (the “reload” switch will restart the application whenever one of its files is modified):

paster serve --reload development.ini

and then open the following URL in your browser: http://localhost:8080/.

You should keep this simple procedure in mind because we’ll use it very often. Then, when you need to stop the development server, you have to hit Ctrl+C.

Now try, at least, the following (in order):

1. Log in: Visit http://localhost:8080/login or click on the “Login” link in the upper-right side of any Web page of our application. Enter “manager” and “managepass” in the login and password fields. You’ll get redirected to the main page and a welcome message will be displayed.
2. Visit a page you shouldn’t see: Like http://localhost:8080/editor_user_only; you should get a 403 page and a message which reads “Only for the editor”.
3. Log out: Visit http://localhost:8080/logout_handler or click on the “Logout” link in the upper-right side of any Web page of our application. You’ll get redirected to the main page and a goodbye message will be displayed.
4. Visit a private page as anonymous: If you’re currently logged in, log out first. Then visit http://localhost:8080/manage_permission_only; you should be redirected to the login form, where also the message “Only for managers” is displayed. Log in with the previous credentials (“manager”/”managepass”) and you’ll be redirected to the page you requested initially.

What you’ve seen is repoze.who, repoze.what and some of their official plugins in action; those notification messages are TurboGears-specific, though, but it shouldn’t be hard to port them to other frameworks or raw applications.

Before moving forward, I’ll describe some of the files and directories that the “paster quickstart” command above generated:

• devdata.db: The sqlite database file used for development.
• classifieds/: Your application’s package itself.
• classifieds/config/middleware.py: The file where the extra WSGI middleware for your application is added.
• classifieds/controllers/root.py: Your application’s root controller. Sub-controllers should be attached to the one defined in this file; below I’ll explain how.
• classifieds/model/: The application’s model definitions powered by SQLAlchemy.
• classifieds/model/auth.py: The model definitions specific to authentication, identification and authorization.
• classifieds/templates/: The application’s XHTML templates powered by Genshi.
• classifieds/websetup.py: Contains the function which will get run when the application is set up (used by the paster setup-app command). By default it just adds rows to the database.

On the other hand, this is how authentication, identification and authorization is configured right now:

• We have a table for our application’s users (tg_user), which contains the self-explanatory fields user_name and password, among others. repoze.who is configured to authenticate by using these two fields.
• repoze.what is configured to use its groups/permission-based pattern. The groups and permissions are stored in the database, in the tg_group and tg_permission tables.
• One user can belong to zero or more groups; one group can be granted zero or more permissions.
• Right now we have two users, “manager” and “editor” (with passwords “managepass” and “editpass”). “manager” belongs to the only group defined so far, “managers”. The group “managers” is granted the only permission defined so far, “manage”.

Let’s start coding

“At last!”, I heard you say.

While implementing repoze.who and repoze.what in an application which doesn’t come with them enabled out-of-the-box, the first thing you have to do is add their middleware to your application.

However, we’ll skip that part and keep the default settings for now, so that we can go to fun part right away: Learning how to protect areas in your Web application. The setup will be addressed later on, where you’ll learn how to configure repoze.who and repoze.what the TurboGears-independent way.

This is what we’re going to implement in our classifieds application:

• A simple user registration system.
• A classified visualization mechanism, for any user (anonymous or authenticated).
• A classified addition mechanism, for registered users.
• A classified edition mechanism, for registered users to edit their own classifieds.

So it’s finally time to fire up your Python editor, a terminal and a window of your browser!

First of all, let’s add groups and permissions for authorization in our application, instead of sticking to the ones created by default. We’re going to add one more group called “posters” and the “add-classifieds” permission to be granted to posters. (Before continuing, you should stop the server running in the terminal — With Ctrl+C).

To add the posters group, add this code to the setup_app() function, defined in classifieds/websetup.py:

posters = model.Group(group_name=u'posters', display_name=u'Classified posters')
model.DBSession.add(posters)

The addclassifieds permission is created with this code:

addclassifieds = model.Permission(permission_name=u'add-classifieds', description=u'Allowed to add classifieds')
addclassifieds.groups.append(posters)
model.DBSession.add(addclassifieds)

Add these sections right before the following lines:

model.DBSession.flush()
transaction.commit()

Now, since we have a classifieds application, we have to define the SQLAlchemy model for the classifieds. To keep things simple, we’ll define just four columns:

• classified_id: The classified’s identifier.
• poster_id: The poster’s user id.
• classified_title: The classified title.
• classified_contents: The classified contents.

Listing 1 implements this model definition. You have to create classifieds/model/posts.py and store that definition in there. Then you have to import that model at the end of classifieds/model/__init__.py:

from classifieds.model.posts import Classified

To apply the changes, let’s remove the development database, re-create it with our new model and rows, and finally start the server again:

rm devdata.db
paster setup-app development.ini
paster serve --reload development.ini


That’s it, now we have the model definition for the classifieds. Let the fun part begin!

Creating a user registration system

We’re going to create a simple registration system made up of two controller actions: One to display the registration form and another to process the submitted form.

We’re going to implement them in the root controller for our application, the class RootController found in the source file classifieds/controllers/root.py.

To define the action for the registration form, first import the repoze.what predicate checker that verifies that the current user is anonymous:

from repoze.what.predicates import is_anonymous

Next, add the following method in RootController:

@expose('classifieds.templates.register')
@require(is_anonymous(msg='Only one account per user is allowed'))
def register(self):
"""Display the user registration form"""
return {'page': 'user registration'}

What the two decorators above do is specify that the template for the “register” action is classifieds/templates/register.html and that access is granted to users who don’t have an account, respectively.

@require is a TurboGears-specific decorator that evaluates a repoze.what predicate before calling the action in question. When such a predicate is not met, the action is not called and a 401 response is returned (403 if the user is already logged in). Then repoze.who’s default challenge decider will find the 401 response and will replace it with the challenge.

Internally, the predicate is evaluated by calling its check_authorization() method (which raises the repoze.what.predicates.NotAuthorizedError exception if the predicate isn’t met, whose message is the user-friendly explanation) or is_met() (which returns a boolean). Listing 2 illustrates a fictitious implementation, using the decorator package; you’d find it useful if you want to use repoze.what in another framework or raw application (Pylons users may want to check repoze.what-pylons).

Going back to the creation of the action, you’ll have to create the template that will display the form: Create classifieds/templates/register.html with the contents of Listing 3.

Now it’s time to create the action which will process the contents of the submitted form by adding the user to the database, including them in the “posters” group and finally redirecting them to the login form so that they can use the newly created account. For that, you have to define the add_user method shown in Listing 4 (in RootController).

That’s it! Our registration system is done. Now you can try it by visiting http://localhost:8080/register.

The classifieds visualization mechanism

We’re going to write the part of the interface which will allow us to see the classifieds hosted by our service. This will be accomplished by means of two controller actions: One to see all the classifieds available, in the main page of the application, and another to see individual classifieds.

For the first, we have to re-write the “index” action of the root controller, to make it look like this:

@expose('classifieds.templates.index')
def index(self):
query = DBSession.query(model.Classified)
all_classifieds = query.all()
return dict(page='index', classifieds=all_classifieds)

Then its template, classifieds/templates/index.html, should be replaced with the contents of Listing 5, which lists the available classifieds with a link to their individual pages.

The second action, the one to show the classifieds individually, will be implemented as “view” and will be defined in the root controller too:

@expose('classifieds.templates.view')
def view(self, classified):
query = DBSession.query(model.Classified)
classified_obj = query.get(classified)
# Is the user allowed to edit the classified?
checker = user_is_poster()
can_edit = checker.is_met(request.environ)
return {'page': 'Classified page', 'classified': classified_obj, 'classified_id': classified, 'can_edit': can_edit}

Note that in the “view” action we do something new: Handle a predicate checker directly. Sometimes it is necessary to evaluate them directly and get a boolean result to know whether it’s met or not thanks to the is_met() method of the predicate checker. For example, right now we use it to display a link to edit that predicate, if and only if the current user is allowed to edit it.

Then the template for “view”, classifieds/templates/index.html, is defined as shown in Listing 6.

Implementing the classified submission mechanism

To allow users publish classifieds, we’ll write two controller actions (once again, one to display the form and the other to process it).

The action that will display the form should first check that the user is allowed to add a classified; this is, we should use repoze.what’s has_permission predicate so that it checks whether they are granted the “add-classified” permission. You have to import it at the top of classifieds/controllers/root.py:

from repoze.what.predicates import has_permission

And then write the action as shown below:

@expose('classifieds.templates.add')
@require(has_permission('add-classifieds'))
def add(self):
return {'page': 'Classified submission'}


This action uses the template classifieds/templates/add.html, which we have to create with the contents of Listing 7.

Finally, Listing 8 shows how the action that processes the submitted form is implemented. There we use something we hadn’t used before: The repoze.who identity dictionary. Do you remember that I said that repoze.who optionally uses so-called “metadata providers”, which are plugins that load data about the current user into the request? Well, that data is kept in the WSGI environment dictionary, under the repoze.who.identity key.

Then we use one of the items of that dictionary, “user”, which contains the database object for the current user. It is loaded by the metadata provider defined in the repoze.who SQLAlchemy plugin (repoze.who.plugins.sa), a component that is enabled by default in TurboGears.

Implementing the classified edition mechanism with custom predicate checkers

So far we’ve used a few repoze.what predicate checkers, which are all very basic. Very often you have to write your own checkers. For example, if the URL where classifieds are edited looks like http://localhost:8080/edit/X (where “X” represents the classified identifier), and we want that classifieds can only be edited by their posters, we’ll need a predicate checker that finds the poster of the “X” classified and checks if it is the current user.

This predicate checker is implemented in Listing 9, which should be stored in classifieds/lib/authz.py (a file you should create). That’s a good sample checker, which helps us to understand how a predicate checker is defined:

• It must extend the repoze.what.predicates.Predicate class.
• It must define a user-friendly explanation in the message attribute, which may be shown to the user when the predicate is not met.
• Its logic is defined in the evaluate() instance method, which must call the unmet() method when the predicate is not met; keyword arguments passed to this method will replace the placeholders defined in message (if any), although that message can be replaced on-the-fly with a string passed as the first positional argument. evaluate() receives the WSGI environment and the repoze.what credentials dictionaries as arguments.
• If the checker relies on arguments such as GET or POST variables, or other arguments available in the URL, the parse_variables() method should be used to retrieve them. It will return a dictionary whose items are: “get” for variables in the query string and “post” for POST variables, plus “named_args” and “positional_args” for named and positional arguments in the URL (which must be set by a routing software like Selector or Routes).

Because this predicate relies on a named argument in the URL (“classified”), we have to use a URL router software compliant with the wsgiorg.routing_args standard; we’ll use Routes. To configure Routes in TurboGears 2, you have to insert the following contents in classifieds/config/app_cfg.py (right after the imports) and then replace the line base_config = AppConfig() with base_config = ClassifiedsConfig():

class ClassifiedsConfig(AppConfig):
def setup_routes(self):
"""Customize routing"""
from tg import config
from routes import Mapper
dir = config['pylons.paths']['controllers']
map = Mapper(directory=dir, always_scan=config['debug'])
# Defining our custom routes:
map.connect('/{action}/{classified:\d+}', controller='root')
# Required by TurboGears:
map.connect('*url', controller='root', action='routes_placeholder')
config['routes.map'] = map


At this point we’re ready to use the user_is_poster checker.

Now import the custom checker into classifieds/controllers/root.py:

from classifieds.lib.authz import user_is_poster

Next, use the following contents to define the “edit” action and the contents of Listing 10 for its template (classifieds/templates/edit.html):

@expose('classifieds.templates.edit')
@require(user_is_poster())
def edit(self, classified):
query = DBSession.query(model.Classified)
classified_obj = query.get(classified)
return {'page': 'Classified edition page', 'classified': classified_obj, 'classified_id': classified}

Finally, for the action that processes the submitted form, we can use:

@expose()
@require(user_is_poster())
def edit_classified(self, classified, title, contents):
# Fetching and updating the classified object:
query = DBSession.query(model.Classified)
classified_obj = query.get(classified)
classified_obj.classified_title = title
classified_obj.classified_contents = contents
DBSession.update(classified_obj)
# Notifying the user:
flash('Classified "%s" updated!' % title)
redirect(url('/view/%s' % classified))


You can now play with the classifieds edition mechanism, to see by yourself how authorization is denied when somebody tries to edit somebody else’s classified, thanks to our “user_is_poster” checker.

Configuring it all by ourselves

At this point you’re able to deal with identification (using the repoze.who identity dictionary, which contains user data) and control authorization in your application with repoze.what predicate checkers (even how to write your own!), and you should also be able to put this knowledge to the test in frameworks other than TurboGears.

What we’re missing now is to know how to configure repoze.who and repoze.what by ourselves, since we skipped that part initially because TurboGears configures them for us. But you have to know this to use both packages with other frameworks or even to continue with TurboGears in a more advanced setup.

Therefore we’re going to stop TurboGears from configuring repoze.who and repoze.what, so that we have full control on how they are configured and learn how to do it in other frameworks.

To disable the automatic setup of repoze.who and repoze.what, go to classifieds/config/app_cfg.py and set the variable base_config.auth_backend to None. Then all those variables that start by base_config.sa_auth will be ignored, so you can remove them if you want.

Now let’s handle the configuration by adding the middleware to our WSGI application. I’ll use a function called add_auth() (defined in classifieds/config/auth.py) which receives the WSGI application as the only argument and returns it with the middleware added, as shown in Listing 11.

Because add_auth() configures repoze.who and repoze.what the same way we’ve been using them, but with the hidden details revealed, we’ll be able to identify their components.

In this function we see that repoze.who is configured with the following plugins:

• AuthTktCookiePlugin, an identifier which remembers and forgets authenticated users using cookies (using the string “secret” as the encryption key and “authtkt” as the cookie name).
• FriendlyFormPlugin, the component that handles our login form and logouts. As an identifier, when the user is logging in it extracts the “login” and “password” from the request so that the authenticator(s) can use such data, and when the user tries to log out, it asks AuthTktCookiePlugin to forget the user. As a challenger, it redirects the user to the login form (at “/login”).
• SQLAlchemyAuthenticatorPlugin, as the only authenticator used. It connects to the “tg_user” table to check if there’s a match for the supplied “login” and “password”.
• SQLAlchemyUserMDPlugin, the metadata provider that loads the current user’s SQLAlchemy object into the repoze.who identity item “user”.
• Because we didn’t specified request classifiers or challenge deciders, the default ones will be used.

Meanwhile, repoze.what is configured using the groups/permissions-based authorization pattern, where the groups and permissions are retrieved thanks to the following adapters:

• SqlGroupsAdapter, which loads the groups from the “tg_group” table.
• SqlPermissionsAdapter, which loads the groups from the “tg_permission” table.

If we don’t use this authorization pattern, our app_with_mw variable would have been defined without passing groups/permission adapters:

app_with_mw = setup_auth(app, **who_args)

And what about using repoze.who but not repoze.what? Listing 12 shows how to configure repoze.who just like we did above, but without repoze.what. Note that this time we had to pass the request classifier and challenge decider explicitly.

The opposite, using repoze.what without repoze.who, is not yet possible as of this writing because repoze.what 1.0’s credentials are loaded through a repoze.who metadata provider. repoze.what 1.1 will be completely repoze.who-independent, optionally.

Finally, it’s time to use add_auth(). It can be used like any other WSGI middleware, so in the case of this TurboGears 2 application, it is in classifieds/config/middleware.py; if using another framework, consult the relevant documentation to find the equivalent. First, you should import the function:

from classifieds.config.auth import add_auth

And then use it inside the make_app() function, under the specified line:

# Wrap your base TurboGears 2 application with custom (...)
app = add_auth(app)

And voila! Now our classifieds service behaves the same way as before, with its authentication, identification and authorization settings now being controlled by our own code instead of the generated defaults.

Going beyond with repoze.who and repoze.what

The topics covered in this article are just the tip of the iceberg. Both Repoze packages are created with extensibility in mind; their core is minimalist but they already have many ready-to-use plugins, not only the repoze.who and repoze.what SQLAlchemy plugins we used here.

There are repoze.who plugins for OpenId, LDAP, .htaccess and RADIUS authentication, as well as a built-in challenger plugin for HTTP authentication — just to name some of the available plugins. And you can easily create your own plugins, following the patterns described in this article.

Although repoze.what is a relatively new piece of software as of this writing, it has several ready-to-use plugins as well. It has plugins to store the groups and permissions in XML files or .ini files, not only in databases, as well as a plugin called repoze.what-quickstart which allows us to have repoze.who and repoze.what working quickly (that’s what TurboGears uses to set them up).

Although they were not used in our classifieds service, just mentioned in the beginning, you can have so-called compound predicates. Access rules aren’t always as simple as “The user must be logged in” or “The user belongs to the ‘posters’ group”. For example, in our classified edition mechanism we way want to allow administrators to edit classifieds, even those not posted by themselves; to do so, instead of using our user_is_poster checker alone, we could use it along with the Any and in_group checkers:

from repoze.what.predicates import Any, in_group
p = Any(in_group('manager'), user_is_poster())

In this article we didn’t even use half of the built-in repoze.what predicate checkers. A full list is available in the repoze.what manual.

Settings are very flexible. It is even possible to configure repoze.who and repoze.what through .ini files, so that those settings can be adjusted while deploying the application (which would be a replacement for our add_auth() function defined above).

It is also worth noting that both projects are actively developed, well documented, well tested and supported by the Repoze community. As a result, it is most likely that you’ll have a good experience using them.

repoze.who and repoze.what aim to solve “the security problem” we Web developers face so often, and they have proved to be the right choice in many scenarios. The likelihood of them being the right choice for your next Web application is strong, specially now that you’re familiar with them!

To ask questions about repoze.who and/or repoze.what, please use the repoze-dev mailing list. For everything else that is related to this article, please leave a comment below.

Since the second half of last summer I’ve been inactive in the Free Software arena. No commits, no emails from me in the last few months which may indicate that the projects are dead. So I wanted to write to let you know that I have no plans to stop maintaining any of my projects. I will start to catch up with all the things I’ve missed in the projects I normally contribute to and the projects I develop alone.

The reason why you’d heard nothing from me is that I left Spain to move to Oxford, in order to work at the cool company behind 2degreesnetwork.com. The removal was the most time-consuming and stressful thing I’d ever done, but after one month working here, I’m happy to say that it was worth it. The atmosphere is just like I thought Web 2.0 companies were, and I am surrounded by nice and talented people. I can’t be happier.

Well, back to the projects, I had to wait a lot to get access to the Internet at home, but I got it a couple of weeks ago and have been catching up (slowly) with the pending stuff. I still have a huge stack of unanswered emails, for example.

For the last couple of weeks I was working fulltime on repoze.what 1.1 and repoze.what-django. I hope to finish the documentation and get the first alpha releases out very soon; the code itself is pretty much ready and, as usual, fully tested. I didn’t have plans to do a repoze.what 1.1 release anytime soon, but while developing repoze.what-django I found myself implementing something which would be useful outside Django (i.e., ACLs) and thus I decided to move it to repoze.what.

After that, I want to improve the auth documentation in TurboGears 2. repoze.what-pylons is the crucial part of the repoze.what integration in TG2 and it’s fully documented, but duplicating part of those docs won’t do any harm and adding some tips and tricks would be nice. I started doing that some months ago but never committed it; I have to finish it this time.

Then I’d like to make repoze.what-pylons take advantage of the new features in repoze.what 1.1, like repoze.what-django already does.

That’s it for the foreseeable future. Next year I really want to get serious with Booleano and PyACL.

I named this Python-based project “wooflix” and you can download it from code.gustavonarea.net. It ships with a command-line interface and basic documentation, including the design document.

It’s the first project, as far as I know, that uses Booleano. With it, you can get random movie recommendations and filter them, like this:

# Get 5 movie recommendations for user #7, at least those published after 2001
wooflix recommendations 7 --max="5" --filter="movie:year > 2001"

Keep in mind that I won’t offer support for it; I’m publishing because I thought it might be useful for some people, but I have no intentions to work on it in the future.

Booleano is an interpreter of boolean expressions, a library to define and run filters available as text (e.g., in a natural language) or in Python code.

In order to handle text-based filters, Booleano ships with a fully-featured parser whose grammar is adaptive: Its properties can be overridden using simple configuration directives.

On the other hand, the library exposes a pythonic API for filters written in pure Python. These filters are particularly useful to build reusable conditions from objects provided by a third party library.

It’s been designed to address the following use cases:

1. Convert text-based conditions: When you need to turn a condition available as plain text into something else (i.e., another filter).
2. Evaluate text-based conditions: When you have a condition available as plain text and need to iterate over items in order to filter out those for which the evaluation of the condition is not successful.
3. Evaluate Python-based conditions: When you have a condition represented by a Python object (nothing to be parsed) and need to iterate over items in order to filter out those for which the evaluation of the condition is not successful.

It is a project I found necessary while working on repoze.what 2, which I’ve been developing for the last few months in my spare time. This release is absolutely usable, but lacks documentation because I needed this release out for a (small) project I need to work on ASAP (it will depend on Booleano). The next release will ship with a nice documentation, I promise.

• Buy it in a place where every single computer ships with Windows, so that I could claim a refund. I didn’t care about the money: I just wanted to mess with that kind of vendors and file a lawsuit if I didn’t get it on good terms, to encourage people to do the same thing and thus contribute to do away with the Windows Tax.
• Purchase it from a Linux pre-installed vendor, to support them. Even if they pre-installed a freedom-trampling system like Windows, it’d be good to show them that Freedomware worths it.

I liked both options alike, so I based my decision on the computer specs and costs, not on the vendor/manufacturer.

I decided to get a Dell XPS M1330, one of the two Ubuntu-powered computers that I remembered Dell sells in Spain. So I visited dell.es/ubuntu and was surprised to find just a couple of netbooks! Change of plans; now I’ll have to get it with Windows and claim a refund, I told myself.

So the first step was to get a proof that I was imposed the operating system when I bought the laptop. Sales representatives were available for a chat, so I asked them how could I get a Dell XPS M1330 without Windows. The surprising answer was that it was available with Ubuntu and pointed me to configure2.euro.dell.com/dellstore/! Plans changed one more time; back to the original plan, get it with Linux.

I obviously asked why it wasn’t listed on dell.es/ubuntu. The sales rep said that s/he didn’t know why and that s/he will forward my query to the relevant department. I bought the laptop with Ubuntu that day and that was it.

Today, out of curiosity, I went to dell.es/ubuntu and found that it hasn’t changed! The link the sales rep provided me with the other day still works but the laptop is not listed. And the same happens in dell.fr/ubuntu, dell.co.uk/ubuntu and dell.de/ubuntu, for example.

This can hardly be a mistake. Why the heck does Dell hide some of the few Linux-powered computers they sell now? Maybe due to threats from Microsoft? After all, it’s well-know for its monopolistic practices.

PS (April 18th @ 14:00 UTC): The link above to configure2.euro.dell.com/dellstore/ doesn’t work at times today, so here’s an screenshot if it doesn’t work for you:

PS (April 19th @ 18:30 UTC): This is an screenshot of the random error I warned about yesterday (which I took just in case), before reaching Digg.com’s front-page:

Now, almost 20 hours after reaching Digg’s front-page, the link no longer works (not even at times, as yesterday) and a better formatted page is displayed instead:

I don’t know if the different error pages actually mean something, but my point is that the link is now dead.

• The license will change. It will use Repoze’s.
• The development tools will be migrated from Launchpad (bug tracker, repository, etc).
• The LDAP plugin’s documentation will be included into repoze.who’s.
• It will be maintained by Repoze commiters, and I’m one of them.

I’ve not started the migration, but I hope to start in a few days.

It’s a plugin for the repoze.who framework, featuring not only an LDAP authenticator, but also related utilities. It’s a fully documented project which also ships with a working demo application, so it’d be hard for you to get stuck.

I wrote this plugin in order to enable LDAP authentication in Animador. And in fact, it’s the first application that uses the plugin.

The latest version is 1.0, and you’re highly encouraged to play with it and give feedback!

Visit its website for more information!

This is because I’ve been contributing patches for TurboGears 2 and other packages used by Animador (a TurboGears 2 application), since I started its development, in order to fix bugs and/or add new features that I want in Animador. So now I can apply my changes by myself!

And stay tunned, because very soon it’s going to be very easy to add OpenId support to any WSGI application by means of a plugin for the framework-independent repoze.who package!