Routes can be protected so that only authenticated users can access them.
To do so, decorate the handlers with the @private
decorator:
@appier.route("/", "GET")
@private
def hello(self):
return "hello from /"
When a user is unable to access a route due to not having privileges, an exception with the 403 error code (forbidden) is raised. This error can be handled to send the user to the login page for example:
@appier.error_handler(403)
def forbidden_code(self, error):
return self.redirect("base.signin")
In order to allow access to only some of the authenticated users,
use the @ensure
decorator instead:
@appier.route("/", "GET")
@appier.ensure(token = "base")
def hello(self):
return "hello from /"
The token
keyword specifies the token that must be present in the current
Session, for this route to be accessible. When a user is logged
in, the tokens he has access to should be set in the reserved tokens
session
variable like so:
self.session["tokens"] = ["base"]
And deleted when the user logs out:
del self.session["tokens"]
In this example, all authenticated users would be able to access routes protected
with the base
token, they wouldn't however, be able to access another route
protected with an admin
token. To be able to access both, a list with both tokens
would have to be set in the session:
self.session["tokens"] = ["base", "admin"]
There is, however, a special token that allows users to access any protected resource, regardless of what token it is protected with:
self.session["tokens"] = ["*"]
This special token should rarely be used though. It can be used to easily define the access rights of an administrator user that can do anything another user can, but such usage is discouraged for security reasons.
The access rights of a user can be checked in templates in order to output only the content that should be visible to each access level. Here's how to show different content depending on whether the user is logged in or not:
{% if session.email %}
<p>Logged in</p>
{% else %}
<p>Not logged in</p>
{% endif %}
This example is checking for the existence of the email
attribute in the
session object to determine if the user is logged in or not, however any
session variable will do, as long as it's one that is only set if the user
is logged in.
To change the output depending on the authenticated user's access level, one can check through the template if the user has a certain token:
{% if session.email %}
{% if acl('admin') %}
<p>Logged in as admin</p>
{% else %}
<p>Logged in as a normal user</p>
{% endif %}
{% else %}
<p>Not logged in</p>
{% endif %}