Application with permissions system. Build with tornado, mongodb, motor
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

ACL async application

Application with permissions system (ACL). Built with python, tornado, mongodb, motor.

Build Status Coverage Status


  • python 2.7


Tools used



Project has django-like structure: it contains 'applications'. Application has handlers, models, forms, etc.

Base modules

Base handlers module have ListHandler, DetailHandler, CreateHandler, DeleteHandler. They behave similiar to django ListView, DetailView and so on.

Base models module have BaseModel with common used methods. All models should subclass it.

Base forms contains adopted to tornado Form and ModelForm (subclasses of WTForms). ModelForm performs validation on its model and provide model object, if validation pass.

Permission system

Permissions are base on models. Each user has 'permissions' field, which has following structure:

permissions = {
    'model_name_1': ['read',],
    'model_name_2': ['read', 'write'],
    'model_name_3': ['read', 'write', 'delete'],

So user with such permissions can read objects of model_name_1, can read and write objects of model_name_2 and can read, write and delete objects of model_name_3. Permissions are checked in base handlers, so it is needed to subclass them. Example:

from base.handlers import ListHandler
from .models import NewsModel

class NewsListHandler(ListHandler):

    def initialize(self, **kwargs):
        super(NewsListHandler, self).initialize(**kwargs)
        self.model = NewsModel
        self.template_name = "news/list.html"

If it is needed to check additional permissions, it can be done by overriding corresponding methods of base handler. The easiest way is to provide it in get_additional_permissions method. For more complicated behaviour look at base handlers implementation.

Example, where to be able to delete 'news' object user must be also an author of this object (in addition to 'delete' permission):

from base.handlers import DeleteHandler
from .models import NewsModel

class NewsDeleteHandler(DeleteHandler):
    # ...

    def get_additional_permissions(self):
        if self.object is None:
            yield self.get_object()
        news = self.object
        raise gen.Return( == self.current_user)

UserModel has default permissions, contained in DEFAULT_PERMISSIONS. When user is created, he has those default permissions.

Shortcut to change permissions from mongodb shell:

Set permissions to user with email="" for model with name 'news'.

use acl_app
usr = db.accounts.findOne({_id: ""})
// look his current permissions
// set no permissions
usr.permissions['news'] = []
// set only read permissions
usr.permissions['news'] = ['read']
// set read, write, delete permissions
usr.permissions['news'] = ['read', 'write', 'delete']