Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

315 lines (217 sloc) 11.306 kB

Authorization in TurboGears 2 applications

Status: Official


This document describes how authentication is integrated into TurboGears and how you may get started with it.

How authentication and authorization is set up by default

If you enabled authentication and authorization in your project when it was generated by TurboGears, then it's been set up to store your users, groups and permissions in SQLAlchemy-managed tables or Ming collections.

Your users' table is used by :mod:`repoze.who` to authenticate them. When the authentication has success TurboGears uses the TGAuthMetadata instance declared in config.base_config.sa_auth.authmetadata to retrieve the informations about your user which are required for authorization.

You are free to change the authmetadata object as you wish, usually if your authentication model changes, your authmetadata object will change accordingly.

You can even get rid of authorization based on groups and permissions and use other authorization patterns (e.g., roles, based on network components) or simply use a mix of patterns. To do this you can set authmetadata to None and register your own metadata providers for :mod:`repoze.who`.

Restricting access with :mod:`tg.predicates`

tg.predicates allows you to define access rules based on so-called "predicate checkers". It is a customized version of the :mod:`repoze.what` module which has been merged into TurboGears itself to make easier to support different authentication backends.

A predicate is the condition that must be met for the user to be able to access the requested source. Such a predicate, or condition, may be made up of more predicates -- those are called compound predicates. Action controllers, or controllers, may have only one predicate, be it single or compound.

A predicate checker is a class that checks whether a predicate or condition is met.

If a user is not logged in, or does not have the proper permissions, the predicate checker throws a 401 (HTTP Unauthorized) which is caught by the :mod:`repoze.who` middleware to display the login page allowing the user to login, and redirecting the user back to the proper page when they are done.

For example, if you have a predicate which is "grant access to any authenticated user", then you can use the following built-in predicate checker:

from tg.predicates import not_anonymous

p = not_anonymous(msg='Only logged in users can read this post')

Or if you have a predicate which is "allow access to root or anyone with the 'manage' permission", then you may use the following built-in predicate checker:

from tg.predicates import Any, is_user, has_permission

p = Any(is_user('root'), has_permission('manage'),
        msg='Only administrators can remove blog posts')

As you may have noticed, predicates receive the msg keyword argument to use its value as the error message if the predicate is not met. It's optional and if you don't define it, the built-in predicates will use the default English message; you may take advantage of this functionality to make such messages translatable.


Good predicate messages don't explain what went wrong; instead, they describe the predicate in the current context (regardless of whether the condition is met or not!). This is because such messages may be used in places other than in a user-visible message (e.g., in the log file).

  • Really bad: "Please login to access this area".
  • Bad: "You cannot delete an user account because you are not an administrator".
  • OK: "You have to be an administrator to delete user accounts".
  • Perfect: "Only administrators can delete user accounts".

Below are described the convenient utilities TurboGears provides to deal with predicates in your applications.

Action-level authorization

You can control access on a per action basis by using the :func:`tg.decorators.require` decorator on the actions in question. All you have to do is pass the predicate to that decorator. For example:

# ...
from tg import require
from repoze.what.predicates import Any, is_user, has_permission
# ...
class MyCoolController(BaseController):
    # ...
    @require(Any(is_user('root'), has_permission('manage'),
                 msg='Only administrators can remove blog posts'))
    def only_for_admins():
        flash('Hello admin!')
    # ...

Controller-level authorization

If you want that all the actions from a given controller meet a common authorization criteria, then you may define the allow_only attribute of your controller class:

from yourproject.lib.base import BaseController

class Admin(BaseController):
    allow_only = predicates.has_permission('manage')

    def index(self):
        flash(_("Secure controller here"))
        return dict(page='index')

    def some_where(self):
        """This is protected too.

        Only those with "manage" permissions may access.

        return dict()


Do not use this feature if the login URL would be mapped to that controller, as that would result in a cyclic redirect.

Built-in predicate checkers

These are the predicate checkers that are included with :mod:`tg.predicates`, although the list below may not always be up-to-date:

Single predicate checkers

Check that the current user has been authenticated.

Check that the authenticated user's user name is the specified one.

param user_name:The required user name.
type user_name:str

Check that the user belongs to the specified group.

param group_name:The name of the group to which the user must belong.
type group_name:str

Check that the current user has the specified permission.

param permission_name:The name of the permission that must be granted to the user.

Check that the current user has been granted all of the specified permissions.

param permission1_name:The name of the first permission that must be granted to the user.
param permission2_name:The name of the second permission that must be granted to the user.
param permission3_name ...:The name of the other permissions that must be granted to the user.

Negate the specified predicate.

param predicate:The predicate to be negated.

Custom single predicate checkers

You may create your own predicate checkers if the built-in ones are not enough to achieve a given task.

To do so, you should extend the :class:`tg.predicates.Predicate` class. For example, if your predicate is "Check that the current month is the specified one", your predicate checker may look like this:

from datetime import date
from repoze.what.predicates import Predicate

class is_month(Predicate):
    message = 'The current month must be %(right_month)s'

    def __init__(self, right_month, **kwargs):
        self.right_month = right_month
        super(is_month, self).__init__(**kwargs)

    def evaluate(self, environ, credentials):
        if != self.right_month:


When you create a predicate, don't try to guess/assume the context in which the predicate is evaluated when you write the predicate message because such a predicate may be used in a different context.

  • Bad: "The software can be released if it's %(right_month)s".
  • Good: "The current month must be %(right_month)s".

If you defined that class in, say, {yourproject}.lib.auth, you may use it as in this example:

# ...
from spain_travels.lib.auth import is_month
# ...
class SummerVacations(BaseController):
    # ...
    def start_vacations():
        flash('Have fun!')
    # ...

Built-in compound predicate checkers

You may create a compound predicate by aggregating single (or even compound) predicate checkers with the functions below:

But you can also nest compound predicates:

# ...
from yourproject.lib.auth import is_month
# ...
                                 Any(is_month(4), is_month(10)),
def release_ubuntu(self, **kwargs):
    return dict()
# ...

Which translates as "Anyone granted the 'release' permission may release a version of Ubuntu, if and only if it's April or October".

Jump to Line
Something went wrong with that request. Please try again.