sqlalchemy_authorize.oso package

Submodules

sqlalchemy_authorize.oso.oso_permissions_mixin module

class sqlalchemy_authorize.oso.oso_permissions_mixin.OsoPermissionsMixin(*args, protected=True, check_create=False, **kwargs)[source]

Bases: BasePermissionsMixin

Authorize your fields using Oso.

E.g. (using the User model defined in conftest.py and the polar policy provided in sqlalchemy_authorize.oso.rbac.polar):

>>> admin = User(id="1", username="root", is_admin=True)
>>> john_doe = User(username="john_doe", check_create=True)
Traceback (most recent call last):
oso.exceptions.ForbiddenError: ...
>>> with user_set(app, admin):  # A context to set `flask.g.user`
...     john_doe = User(username="john_doe", check_create=True)
...     john_doe.id = "2"
>>> john_doe.username, john_doe.id
('john_doe', '2')
>>> with user_set(app, john_doe):
...     john_doe.username = "doe_john"
...     john_doe.id = "3"
Traceback (most recent call last):
oso.exceptions.ForbiddenError: ...
>>> john_doe.username, john_doe.id
('doe_john', '2')
authorize_field(action, key)[source]

This is where you actually implement the check. For an example, see OsoPermissionsMixin.

Usually, you can rely on this being called indirectly (when setting/getting/deleting attributes).

This is meant as a placeholder method, not a working example, that authorizes only public actions. In practice, you’ll want to implement your role-based / relation-based / attribute-based access control here (or use a solution like oso).

Parameters

  • action – One of CRUD or a custom action.

  • key – The attribute/field to authorize.

Returns

None if the action is allowed.

Raises

:exec:`PermissionError` (or some custom error like :exec:`oso.ForbiddenError`) if not allowed.

error(action: str)[source]

Returns an appropriate exception for the action.

Returns

static get_anonymous_user()[source]

Returns a mock anonymous user.

You’ll probably want to overload this with a method that creates an anonymous instance of your User model. (You need to call oso.register_classes).

But if all you’re checking in your polar policies is your user.id, then this may suffice.

static get_oso()[source]

Function to get the current oso instance.

By default assumes you’ve attached oso to the app during setup.

get_user()[source]

Function to get the current user (which will get passed as the actor to oso.authorize_fields ).

By default assumes a user in g.user.

class sqlalchemy_authorize.oso.oso_permissions_mixin.UserMock(id: str)[source]

Bases: object

static exposed()[source]
id: str

Module contents