6.8. Authentication and user management

6.8.1 Login(), Logout() and Role()

For user authentication, Karrigell provides a framework using 3 built-in functions, Login(), Logout() and Role(). The default implementation relies on a users database managed by the script users.ks, which is reserved to the site administrator. This script is available from the home page : Administration/Users management
Users can have different roles, returned by function Role() :
  • None if user is not logged in
  • visit if user is logged as "visitor" : can only see pages, but not edit them
  • edit if user is logged as "editor" : can edit data
  • admin if user is logged as site administrator

The site administrator can add other roles by creating a file called roles.txt and putting it in the Data Directory (data/www for local host). This file has a line per role name

To restrict the access to a script to users who have a given role, use the function

Login([script,[role,[valid_in,[redir_to,[add_user]]]]])

When it is executed, it checks if the user is authenticated (using a cookie mechanism) ; if not :

  • a redirection is performed to a script (by default /login.ks/login) which prompts the user for a login and password
  • another script checks if login and password are present in the users database and if the user with these login and password has one of the roles specified in role (defaults to ["admin"])
  • if so, a redirection is performed to the original script, or to another url which can be specified as the argument redir_to : 
    Login(role=["admin"],redir_to="/send/me/here/after/login")
  • by default, the logging is valid for the folder in which the script is located. You can change the validity scope by the argument valid_in. For instance, 
    Login(valid_in="/")
    makes logging valid for the whole root directory

Another script than the default /login.ks/login can be specified as argument to the Login() function : Login(script="/utils/custom_login.py") for instance

If a user logs in with a login that is not yet in the users database, by default, he will receive an error message. If the parameter add_user is set to one of the possible roles ("admin", "edit", "vidit"), a button to create a new account will be proposed and the user will be able to enter his personal information. In any case, if the login already exists and the password submitted is not correct, an error message will also be returned

Logout([script,[valid_in,[redir_to]]]) erases logging information. The logout script defaults to /admin/login.ks/logout ; valid_in and redir_to have the same meaning as for Login()

6.8.2 Example

def index():
    # check if user is administrator or editor
    Login(role=["edit","admin"])
    # only shows is Login successful
    print "Logged in as ",Role()

If the user is not logged is as administrator or editor, Login() redirects to the page requesting login and password

If he is logged as "edit" or "admin", Login() doesn't do anything and the rest of the function index() is run : function Role() returns the current user role