CherryPy Project Download

Simple authentication and access restrictions helpers

This small module provides CherryPy apps with facilities to specify in configuration and/or with decorators that specfic access restrictions apply to parts of the site. If those restrictions are not met, a user is redirect to a login page.

This is not meant to be a standalone module, just an example that you would include in your project and modify/extend to suit your needs.

Usage example is included below.

# -*- encoding: UTF-8 -*-
# Form based authentication for CherryPy. Requires the
# Session tool to be loaded.

import cherrypy

SESSION_KEY = '_cp_username'

def check_credentials(username, password):
    """Verifies credentials for username and password.
    Returns None on success or a string describing the error on failure"""
    # Adapt to your needs
    if username in ('joe', 'steve') and password == 'secret':
        return None
        return u"Incorrect username or password."
    # An example implementation which uses an ORM could be:
    # u = User.get(username)
    # if u is None:
    #     return u"Username %s is unknown to me." % username
    # if u.password !=
    #     return u"Incorrect password"

def check_auth(*args, **kwargs):
    """A tool that looks in config for 'auth.require'. If found and it
    is not None, a login is required and the entry is evaluated as a list of
    conditions that the user must fulfill"""
    conditions = cherrypy.request.config.get('auth.require', None)
    if conditions is not None:
        username = cherrypy.session.get(SESSION_KEY)
        if username:
            cherrypy.request.login = username
            for condition in conditions:
                # A condition is just a callable that returns true or false
                if not condition():
                    raise cherrypy.HTTPRedirect("/auth/login")
            raise cherrypy.HTTPRedirect("/auth/login") = cherrypy.Tool('before_handler', check_auth)

def require(*conditions):
    """A decorator that appends conditions to the auth.require config
    def decorate(f):
        if not hasattr(f, '_cp_config'):
            f._cp_config = dict()
        if 'auth.require' not in f._cp_config:
            f._cp_config['auth.require'] = []
        return f
    return decorate

# Conditions are callables that return True
# if the user fulfills the conditions they define, False otherwise
# They can access the current username as cherrypy.request.login
# Define those at will however suits the application.

def member_of(groupname):
    def check():
        # replace with actual check if <username> is in <groupname>
        return cherrypy.request.login == 'joe' and groupname == 'admin'
    return check

def name_is(reqd_username):
    return lambda: reqd_username == cherrypy.request.login

# These might be handy

def any_of(*conditions):
    """Returns True if any of the conditions match"""
    def check():
        for c in conditions:
            if c():
                return True
        return False
    return check

# By default all conditions are required, but this might still be
# needed if you want to use it inside of an any_of(...) condition
def all_of(*conditions):
    """Returns True if all of the conditions match"""
    def check():
        for c in conditions:
            if not c():
                return False
        return True
    return check

# Controller to provide login and logout actions

class AuthController(object):
    def on_login(self, username):
        """Called on successful login"""
    def on_logout(self, username):
        """Called on logout"""
    def get_loginform(self, username, msg="Enter login information", from_page="/"):
        return """<html><body>
            <form method="post" action="/auth/login">
            <input type="hidden" name="from_page" value="%(from_page)s" />
            %(msg)s<br />
            Username: <input type="text" name="username" value="%(username)s" /><br />
            Password: <input type="password" name="password" /><br />
            <input type="submit" value="Log in" />
        </body></html>""" % locals()
    def login(self, username=None, password=None, from_page="/"):
        if username is None or password is None:
            return self.get_loginform("", from_page=from_page)
        error_msg = check_credentials(username, password)
        if error_msg:
            return self.get_loginform(username, error_msg, from_page)
            cherrypy.session[SESSION_KEY] = cherrypy.request.login = username
            raise cherrypy.HTTPRedirect(from_page or "/")
    def logout(self, from_page="/"):
        sess = cherrypy.session
        username = sess.get(SESSION_KEY, None)
        sess[SESSION_KEY] = None
        if username:
            cherrypy.request.login = None
        raise cherrypy.HTTPRedirect(from_page or "/")

The developer must at least modify check_credentials to suit whatever means your applications has for matching usernames to passwords. The member_of condition also should be altered in lieu with your user/groups model if you have one.

You'll also probably want to customize the methods in AuthController.

How it works

The check_auth function runs for every request before the handler, but after the handler has been choosen by the dispatcher. It examines cherrypy.request.config for an entry named auth.require. If that entry is not None, a valid login is required. Furthermore, it is evaluated as a list of conditions.

Each condition is a callable that returns True or False depending on if the user meets the condition. A condition can get the current username from cherrypy.request.login. If any of the conditions are not met, the user is redirected to the login page.

Here is an example of how to use this, given that the above is saved in

import cherrypy
from auth import AuthController, require, member_of, name_is

class RestrictedArea:
    # all methods in this controller (and subcontrollers) is
    # open only to members of the admin group
    _cp_config = {
        'auth.require': [member_of('admin')]
    def index(self):
        return """This is the admin only area."""

class Root:
    _cp_config = {
        'tools.sessions.on': True,
        'tools.auth.on': True
    auth = AuthController()
    restricted = RestrictedArea()
    def index(self):
        return """This page only requires a valid login."""
    def open(self):
        return """This page is open to everyone"""
    def only_for_joe(self):
        return """Hello Joe - this page is available to you only"""

    # This is only available if the user name is joe _and_ he's in group admin
    @require(member_of("admin"))   # equivalent: @require(name_is("joe"), member_of("admin"))
    def only_for_joe_admin(self):
        return """Hello Joe Admin - this page is available to you only"""

if __name__ == '__main__':

Hope someone finds it useful..

For any questions, you'll find me on #cherrypy or at arnarbi -at- gmail

-- Arnar Birgisson

Hosted by WebFaction

Log in as guest/cherrypy to create/edit wiki pages