rattail.auth
¶
Auth Handler
See also Auth Handler.
- class rattail.auth.AuthHandler(config, **kwargs)[source]¶
Base class and default implementation for the so-called “auth” handler, by which we mean “authentication and authorization”.
In practice this is also responsible for creating new users, and various things pertaining to roles, etc.
- authenticate_user(session, username, password)[source]¶
Authenticate the given user credentials, and if successful, return the user object.
Default logic will (try to) locate a user record with matching username, then confirm the supplied password is also a match.
You may of course define a custom handler and then could authenticate against anything you like, e.g. the POS system or LDAP etc. The only trick is that this must return a Rattail user, not some other kind. So you may have to devisde a way to auto-create the Rattail user as needed, when authentication for the external system succeeds.
Generally speaking the credentials passed in will have come directly from a user login attempt in the web app etc. Again the default logic assumes a “username” but in practice it may be an email address etc. - whatever the user types.
- authenticate_user_token(session, token)[source]¶
Authenticate the given user API token string, and if valid, return the corresponding User object.
- delete_user(user, **kwargs)[source]¶
Delete the given user account. Use with caution! As this generally cannot be undone.
Default behavior here is of course to delete the account, but it also must try to “remove” the user association from various places, in particular the continuum transactions table. Please note that this will leave certain record versions as appearing to be “without an author”.
- generate_preferred_username(session, **kwargs)[source]¶
Generate a “preferred” username using data from
kwargs
as hints.Note that
kwargs
should be of the same sort that might be passed to the constructor for a newUser
instance.So far there is only one “hint” which is honored by the default logic; however the intention is to leave this flexible as other kinds of hints may be useful in the future.
This method does not confirm if the username it generates is actually “available” for a new user. If you need confirmation then use
generate_unique_username()
instead.- Parameters:
- Returns:
Generated username as string.
- generate_unique_username(session, **kwargs)[source]¶
Generate a unique username using data from
kwargs
as hints.Note that
kwargs
should be of the same sort that might be passed to the constructor for a newUser
instance.This method is a convenience which does two things:
First it calls
generate_preferred_username()
to obtain the “preferred” username. (It passeskwargs
along when it makes the call. Seegenerate_preferred_username()
for more info.)Then it checks to see if the resulting username is already taken. If it is, then a “counter” is appended to the username, and incremented until a username can be found which is not yet taken.
It returns the first “available” (hence unique) username which is found. Note that it is considered unique and therefore available at the time; however this method does not “reserve” the username in any way. It is assumed that you would create the user yourself once you have the username.
- Parameters:
session¶ – Current session for Rattail DB.
- Returns:
Username as string.
- get_email_address(user, **kwargs)[source]¶
Get the “best” email address we have on file for the given user.
- get_merge_preview_data(user, **kwargs)[source]¶
Must return a data dictionary for the given object, which can be presented to the user during a merge preview.
- get_merge_preview_fields(**kwargs)[source]¶
Returns a sequence of fields which will be used during a merge preview.
- get_merge_resulting_data(removing, keeping, **kwargs)[source]¶
Must return a dictionary to represent what the final data would look like, should the proposed merge occur. Note that we’re still in preview mode here, this doesn’t actually cause any particular data to become final.
- Parameters:
removing¶ – Data dictionary for the object to be removed, as obtained via
get_merge_preview_data()
.keeping¶ – Data dictionary for the object to be preserved, as obtained via
get_merge_preview_data()
.
- get_permissions(session, principal, include_guest=True, include_authenticated=True)[source]¶
Return a set of permission names, which represents all permissions effectively granted to the given user or role.
- Parameters:
session¶ – Current session for Rattail DB.
principal¶ – Either a
User
orRole
instance. It is also expected that this may sometimes beNone
, in which case the “Guest” role will typically be assumed.include_guest¶ – Whether or not the “Guest” role should be included when checking permissions. If
False
, then Guest’s permissions will not be consulted.include_authenticated¶ – Whether or not the “Authenticated” role should be included when checking permissions.
- Returns:
Set of permission names.
- get_short_display_name(user, **kwargs)[source]¶
Returns “short display name” for the user. This is for convenience of mobile view, at least…
- grant_permission(role, permission)[source]¶
Grant a permission to the role. If the role already has the permission, nothing is done.
- has_permission(session, principal, permission, include_guest=True, include_authenticated=True)[source]¶
Check if the given user or role has been granted the given permission.
- Parameters:
session¶ – Current session for Rattail DB.
principal¶ – Either a
User
orRole
instance. It is also expected that this may sometimes beNone
, in which case the “Guest” role will typically be assumed.permission¶ – Name of the permission for which to check.
include_guest¶ – Whether or not the “Guest” role should be included when checking permissions. If
False
, then Guest’s permissions will not be consulted.include_authenticated¶ – Whether or not the “Authenticated” role should be included when checking permissions.
- Returns:
Boolean indicating if the permission has been granted.
- make_user(session=None, **kwargs)[source]¶
Make and return a new user.
This is mostly just a simple wrapper around the normal
User
constructor. Allkwargs
for instance are passed on to the constructor.Default logic here only adds one other convenience:
If there is no
username
specified in thekwargs
then it will callgenerate_unique_username()
to automatically provide a username. Note that allkwargs
are passed along in that call.
- merge_update_keeping_object(removing, keeping)[source]¶
Update the object to be kept, with any relevant data from the object to be removed, in the context of a merge.
- remove_user_from_continuum_transactions(user)[source]¶
Remove the given user from all Continuum transactions, i.e. all data versioning tables.
You probably will not need to invoke this directly; it is invoked as needed from within
delete_user()
.
- revoke_permission(role, permission)[source]¶
Revoke a permission from the role. If the role does not have the permission, nothing is done.