rattail.db.auth

Authentication & Authorization

rattail.db.auth.administrator_role(session)[source]

Returns the “Administrator” role.

rattail.db.auth.authenticated_role(session)[source]

Returns the “Authenticated” role.

rattail.db.auth.guest_role(session)[source]

Returns the “Guest” role.

rattail.db.auth.authenticate_user(session, userobj, password)[source]

Attempt to authenticate a user.

Parameters:

userobj – May be a model.User instance, or a username as string. If the latter, it will be used to look up the User instance.

Returns:

The User instance, if found and the password was correct; otherwise None.

rattail.db.auth.set_user_password(user, password)[source]

Set a user’s password.

rattail.db.auth.has_permission(session, principal, permission, include_guest=True, include_authenticated=True)[source]

Determine if a principal has been granted a permission.

Parameters:

  • session – A SQLAlchemy session instance.

  • principal – May be either a model.User or model.Role instance. It is also expected that this may sometimes be None, in which case the “Guest” role will typically be assumed.

  • permission – The full internal name of a permission, e.g. 'users.create'.

  • include_guest – Whether or not the “Guest” role should be included when checking permissions. If False, then Guest’s permissions will not be consulted.

  • include_authenticated – Whether or not the “Authenticated” role should be included when checking permissions.

Note that if no principal is provided, and include_guest is set to False, then no checks will actually be done, and the return value will be False.

rattail.db.auth.cache_permissions(session, principal, include_guest=True, include_authenticated=True)[source]

Return a set of permission names, which represents all permissions effectively granted to the given principal.

Parameters:

  • session – A SQLAlchemy session instance.

  • principal – May be either a model.User or model.Role instance. It is also expected that this may sometimes be None, in which case the “Guest” role will typically be assumed.

  • include_guest – Whether or not the “Guest” role should be included when checking permissions. If False, then Guest’s permissions will not be consulted.

  • include_authenticated – Whether or not the “Authenticated” role should be included when checking permissions.

Note that if no principal is provided, and include_guest is set to False, then no checks will actually be done, and the return value will be False.

rattail.db.auth.grant_permission(role, permission)[source]

Grant a permission to a role.

rattail.db.auth.revoke_permission(role, permission)[source]

Revoke the given permission for the given role. This first checks to see if the role currently has the permission; if not then no change is made.