Changelogs » Aiohttp-auth-autz

PyUp Safety actively tracks 232,000 Python packages for vulnerabilities and notifies you when to upgrade.



  - Move to ``aiohttp`` 2.x.
  - Add support of middlewares decorators for ``aiohttp.web.View`` handlers.
  - Add ``uvloop`` as IO loop for tests.


  - ``autz`` middleware:
  - Simplify ``acl`` authorization policy by moving permit logic into ``policy.acl.AbstractACLAutzPolicy``.
  - Remove ``policy.acl.AbstractACLContext`` class.
  - Remove ``policy.acl.NaiveACLContext`` class.
  - Remove ``policy.acl.ACLContext`` class.


  - ``acl`` middleware:
  - Add ``setup`` function for ``acl`` middleware to install it in aiohttp fashion.
  - Fix bug in ``acl_required`` decorator.
  - Fix a possible security issue with ``acl`` groups. The issue is follow: the default behavior is
  to add ``user_id`` to groups for authenticated users by the acl middleware, but if
  ``user_id`` is equal to some of acl groups that user suddenly has the permissions he is not
  allowed for. So to avoid this kind of issue ``user_id`` is not added to groups any more.
  - Introduce ``AbstractACLGroupsCallback`` class in ``acl`` middleware to make it possible easily create
  callable object by inheriting from the abstract class and implementing ``acl_groups`` method. It
  can be useful to store additional information (such database connection etc.) within such class.
  An instance of this subclass can be used in place of ``acl_groups_callback`` parameter.
  - ``auth`` middleware:
  - Add ``setup`` function for ``auth`` middleware to install it in aiohttp fashion.
  - ``auth.auth_required`` raised now a ``web.HTTPUnauthorized`` instead of a ``web.HTTPForbidden``.
  - Introduce generic authorization middleware ``autz`` that performs authorization through the same
  interface (``autz.permit`` coroutine and ``autz_required`` decorator) but using different policies.
  Middleware has the ACL authorization as the built in policy which works in the same way as ``acl``
  middleware. Users are free to add their own custom policies or to modify ACL one.
  - Add global ``aiohttp_auth.setup`` function to install ``auth`` and ``autz`` middlewares at once
  in aiohttp fashion.
  - Add docs.
  - Rewrite tests using ``pytest`` and ``pytest-aiohttp``.