Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: fa3e76118d
Fetching contributors…

Cannot retrieve contributors at this time

122 lines (89 sloc) 3.489 kb

Base Application

This is a basic wiki-style application. A visitor can view, add, and edit pages. They can also login, logout and view information on users of the system. The URL structure is as follows:




This demo isn't here to teach you how to use URL Dispatch or setup a basic application. If you have any questions about how to setup this simple application with no security, please go back to the Pyramid documentation and tutorials to learn more.


virtualenv --no-site-packages env
env/bin/pip install pyramid


The application is built around a model which persists User and Page objects.

Each User of the system has a login, password, and a list of groups to which they belong.

Each Page has a title, body, and owner, as well as a web-safe uri.


Most of the views are cookie cutter, but views relating to authentication have been singled out and explained in more detail.

Forbidden View

The forbidden view is an exception view registered for pyramid.httpexceptions.HTTPForbidden. When a protected resource is accessed with invalid permissions, Pyramid will raise an an HTTPForbidden exception. The base application provides two possibilities, depending on whether the user is already logged in when the permissions checks fail. If the user is not logged in they are redirected to the login page. However, if they were already logged in then we know they simply do not have access, and we return the HTTPForbidden response (403 Forbidden).

Login View

The login view will accept both GET and POST requests. On a GET it will serve up the basic login page and on POST it will look in the request's body for the login and password, validate them and if successful redirect to the previous page. A user is successfully logged in by calling which uses the :term:`authentication policy` to generate a list of headers that should be sent back as part of the response. These headers generally set a cookie which will allow the application to track the user on subsequent visits.

Logout View

The logout view is very simple, but it showcases the use of to generate a list of headers that should be sent back as part of the response. These headers generally will delete the cookies set by

Create Page View

Unauthenticated users cannot create pages because a Page must have an owner. This is protected by manually raising HTTPForbidden from within the create_page_view which will invoke the Forbidden View.

@view_config(route_name='create_page', renderer='edit_page.mako')
def create_page_view(request):
    owner = authenticated_userid(request)
    if owner is None:
        raise HTTPForbidden()

    # ...
Jump to Line
Something went wrong with that request. Please try again.