Changelogs » Aiohttp-auth-autz




- Move to ``aiohttp`` 2.x.

- Add support of middlewares decorators for ``aiohttp.web.View`` handlers.

- Add ``uvloop`` as IO loop for tests.


- ``autz`` middleware:

- Simplify ``acl`` authorization policy by moving permit logic into ``policy.acl.AbstractACLAutzPolicy``.

- Remove ``policy.acl.AbstractACLContext`` class.

- Remove ``policy.acl.NaiveACLContext`` class.

- Remove ``policy.acl.ACLContext`` class.



- ``acl`` middleware:

- Add ``setup`` function for ``acl`` middleware to install it in aiohttp fashion.

- Fix bug in ``acl_required`` decorator.

- Fix a possible security issue with ``acl`` groups. The issue is follow: the default behavior is
to add ``user_id`` to groups for authenticated users by the acl middleware, but if
``user_id`` is equal to some of acl groups that user suddenly has the permissions he is not
allowed for. So to avoid this kind of issue ``user_id`` is not added to groups any more.

- Introduce ``AbstractACLGroupsCallback`` class in ``acl`` middleware to make it possible easily create
callable object by inheriting from the abstract class and implementing ``acl_groups`` method. It
can be useful to store additional information (such database connection etc.) within such class.
An instance of this subclass can be used in place of ``acl_groups_callback`` parameter.

- ``auth`` middleware:

- Add ``setup`` function for ``auth`` middleware to install it in aiohttp fashion.

- ``auth.auth_required`` raised now a ``web.HTTPUnauthorized`` instead of a ``web.HTTPForbidden``.

- Introduce generic authorization middleware ``autz`` that performs authorization through the same
interface (``autz.permit`` coroutine and ``autz_required`` decorator) but using different policies.
Middleware has the ACL authorization as the built in policy which works in the same way as ``acl``
middleware. Users are free to add their own custom policies or to modify ACL one.

- Add global ``aiohttp_auth.setup`` function to install ``auth`` and ``autz`` middlewares at once
in aiohttp fashion.

- Add docs.

- Rewrite tests using ``pytest`` and ``pytest-aiohttp``.