Base Classes¶
Abstract base classes for guardrail
plugins. Plugin developers should
subclass BasePermissionManager
and BasePermissionSchemaFactory
,
and optionally BaseLoader
as well.
-
class
guardrail.core.models.
BasePermissionManager
(registry=<guardrail.core.registry._Registry object>)[source]¶ Abstract base class for permission managers. Concrete subclasses must implement CRUD operations (check, add, and remove permissions), as well as the
_is_saved()
check.Parameters: registry (_Registry) – Optional registry object; use global registry
if not provided.-
get_permissions
(agent, target, Agent=None, Target=None, custom=None)[source]¶ List all permissions record
agent
has on recordtarget
.Parameters: - agent – Agent record
- target – Target record
- Agent – Optional agent schema; provide if permission is not
directly related to
agent
- Target – Optional target schema; provide if permission is not
directly related to
target
- custom – Optional callable for customizing permission queries; if
provided, will be passed the original query,
agent
,target
, and the permission join table
Returns: Set of permission labels between
agent
andtarget
-
has_permission
(agent, target, permission, Agent=None, Target=None, custom=None)[source]¶ Check whether record
agent
has permissionpermission
on recordtarget
.Parameters: - agent – Agent record
- target – Target record
- permission (str) – Permission
- Agent – Optional agent schema; provide if permission is not
directly related to
agent
- Target – Optional target schema; provide if permission is not
directly related to
target
- custom – Optional callable for customizing permission queries; if
provided, will be passed the original query,
agent
,target
, and the permission join table
Returns: Record
agent
has permissionpermission
on recordtarget
-
add_permission
(agent, target, permission)[source]¶ Grant permission
permission
to recordagent
on recordtarget
.Parameters: - agent – Agent record
- target – Target record
- permission (str) – Permission
Returns: Created permission record
Raises: PermissionExistsError
if permission has already been granted
-
remove_permission
(agent, target, permission)[source]¶ Revoke permission
permission
from recordagent
on recordtarget
.Parameters: - agent – Agent record
- target – Target record
- permission (str) – Permission
Raises: PermissionNotFound
if permission has not been granted
-
_get_permission_schema
(agent, target, Agent=None, Target=None)[source]¶ Look up join table linking
agent
andtarget
, verifying that both records have been persisted.Parameters: - agent – Agent record
- target – Target record
- Agent – Optional agent schema; provide if permission is not
directly related to
agent
- Target – Optional target schema; provide if permission is not
directly related to
target
Returns: Join table between
agent
andtarget
Raises: RecordNotSaved
if either record has not been persistedRaises: SchemaNotFound
if no join table exists
-
-
class
guardrail.core.models.
BasePermissionSchemaFactory
(bases)[source]¶ Abstract base class for schema factories that create permission join tables. Concrete subclasses must implement
_get_table_name()
and_make_schema_dict()
.Parameters: bases (tuple) – Base classes for created schema classes -
_update_parents
(agent, target, schema)[source]¶ Creating a permission join table may require mutating the
agent
andtarget
schemas. By default, take no action.Parameters: - agent – Agent schema class
- target – Target schema class
- schema – Created schema class
-
_make_schema_name
(agent, target)[source]¶ Build class name for permission join table.
Parameters: - agent – Agent schema class
- target – Target schema class
-
Registry¶
-
class
guardrail.core.registry.
_Registry
[source]¶ Registry of schemas designated as permission agents and targets, as well as the permission tables linking each agent-target pair. Should be used as a singleton in ordinary use, but can be instantiated for use in tests.
-
agent
(agent)[source]¶ Decorator that registers the decorated schema as a permission agent.
Example:
@registry.agent class User(Base): id = sa.Column(sa.Integer, primary_key=True)
-
target
(target)[source]¶ Decorator that registers the decorated schema as a permission target.
Example:
@registry.target class Post(Base): id = sa.Column(sa.Integer, primary_key=True)
-
add_permission
(agent, target, permission)[source]¶ Get the join table linking schemas
agent
andtarget
.Parameters: - agent – Agent schema class
- target – Target schema class
- schema – Permission join table
-
Decorators¶
-
class
guardrail.core.decorators.
has_permission
(permission, manager, agent_loader, target_loader, error_handler)[source]¶ Factory for permission-checking decorators. Should be subclassed or have arguments pre-filled with
functools.partial
.Parameters: - permission – Permission value
- manager – Permission manager
- agent_loader – Callable that loads an agent from the
args
andkwargs
passed to the decorated function - target_loader – Callable that loads a target from the
args
andkwargs
passed to the decorated function - error_handler – Callable that handles error codes
AGENT_NOT_FOUND
,TARGET_NOT_FOUND
, andFORBIDDEN
Extensions¶
SQLAlchemy¶
SQLAlchemy plugin for guardrail.
-
class
guardrail.ext.sqlalchemy.
SqlalchemyPermissionSchemaFactory
(bases, cascade=False)[source]¶ Permission schema factory for use with SQLAlchemy.
Parameters: - bases (tuple) – Base classes for created schema classes
- cascade (bool) – Database backend supports
ON DELETE
andON UPDATE
cascades; see_update_parents()
for details
Peewee¶
Peewee plugin for guardrail.
-
class
guardrail.ext.peewee.
PeeweePermissionSchemaFactory
(bases)[source]¶ Permission schema factory for use with Peewee.
Note: Peewee does not implement delete and update cascades outside the database backend, so care should be taken with deleting agent and target records when using a backend that does not support cascades (e.g. SQLite, MySQL using the MyISAM storage engine). In this case, use the
recursive
flag when deleting through Peewee:agent.delete_instance(recursive=True)
Pony ORM¶
Pony plugin for guardrail.
Django ORM¶
Django plugin for guardrail.
Note: Define permission schema factory in models.py
so that Django migrations
can detect permission schemas.
Custom object permissions backend for Django plugin