Skip to content

Use Casbin in Tornado, Casbin is a powerful and efficient open-source access control library.

License

Notifications You must be signed in to change notification settings

pycasbin/tornado-authz

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

tornado-authz

Discord

Installation

Clone this repo

git clone https://github.com/pycasbin/tornado-authz

Simple Example

import asyncio
import tornado
from casbin import Enforcer

from tornado_authz import CasbinMiddleware


# Create a CasbinMiddleware instance with the enforcer
enforcer = Enforcer("../examples/authz_model.conf", "../examples/authz_policy.csv")
middleware = CasbinMiddleware(enforcer)


class BaseHandler(tornado.web.RequestHandler):
    def get_current_user(self):
        user = None
        if self.get_secure_cookie("user"):
            user = self.get_secure_cookie("user").decode('utf-8')
        return user

    def prepare(self):
        # Check the permission for the current request
        middleware(self)


class MainHandler(BaseHandler):
    def get(self):
        self.write("Main Page")


class LoginHandler(BaseHandler):
    def get(self):
        self.write('<html><body><form action="/login" method="post">'
                   'Name: <input type="text" name="name">'
                   '<input type="submit" value="Sign in">'
                   '</form></body></html>')

    def post(self):
        self.set_secure_cookie("user", self.get_argument("name"))
        self.redirect("/dataset1/")


class DatasetHandler(BaseHandler):
    def get(self):
        self.write("You must be alice to see this.")


def make_app():
    return tornado.web.Application([
        (r"/", MainHandler),
        (r"/login", LoginHandler),
        (r"/dataset1/.*", DatasetHandler),
    ], cookie_secret="__TODO:_GENERATE_YOUR_OWN_RANDOM_VALUE_HERE__")


async def main():
    app = make_app()
    app.listen(8888)
    await asyncio.Event().wait()


if __name__ == "__main__":
    asyncio.run(main())

Documentation

The authorization determines a request based on {subject, object, action}, which means what subject can perform what action on what object. In this plugin, the meanings are:

  1. subject: the logged-in username
  2. object: the URL path for the web resource like dataset1/item1
  3. action: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", "write-blog"

For how to write authorization policy and other details, please refer to the Casbin's documentation.

Getting Help

License

This project is under Apache 2.0 License. See the LICENSE file for the full license text.

Releases

No releases published

Packages

No packages published

Languages