yosaiproject / yosai Goto Github PK

Several issues in tox.ini:

• it wants to install requirements.txt but there is no such file
• python -m py.test should be replaced with pytest

At this point I get the following error: ImportError: No module named 'yosai_dpcache', not sure what to do next.

From what I investigated, the user is not being kept logged in between accesses to the pages.
I am running Yosai==0.3.2 and I'm making use of the web component.

I've noticed that, after the user is logged in, the session is not kept between pages.
According to the web's mgt.py:87-90 code, the user id is gotten from the context while also the web_registry is available on that same line. On that line, even though, the web_registry which is available there with the current session_id, the session_id is got from the context and not from the web_registry.
From me following the code, I find that, at no point in the execution of YosaiWeb the session_id is got from the web_registry. Am I doing something wrong?

I am not allowing users to use the remember_me functionality by not giving them the option to

I've tried searching through the tests and I can't find any test that actually tests to flask web so a user logs in and then testing if the session was kept on between requests.

As a temp-fix, I will change that line 89 so it gets the session from the web registry when the one from the context is None

@Dowwie How do I unstuck myself without creating security holes?

Hi,

Are there examples or API docs (for instance on Read The Docs)? I looked but couldn't find any..

I'm working on extending a home-grown RBAC with finer-grained permissions and audit log, and thought I'd try using Yosai instead of writing it myself. But I didn't see any how-tos on how to use it, especially regarding the details of hooking up an audit log, and also how to integrate with Flask.

cheers
adam

Line 149:
the_parts = json.loads(assigned.decode('utf-8'))

Running python 3.7, this raise an exception for me. Strings in py3 are automatically unicode, so the .decode('utf-8') call is not valid and raises an attribute exception. Naturally this depends on how you are implementing your datastore though - I'm not using postgres so I don't know if there is something funky going on with strings in the sqlalchemy engine.

I worked around the issue by overriding AccountStoreRealm to init a custom PermissionVerifier. The custom version is identical to the default one except that the .decode('utf-8') call is removed.

I've been trying to get this working and I think you have some issues with breaking changes in your dependencies. Right now I am stuck with the CBOR serializer not working. When Yosai is passing the session object to the serializer, I get

TypeError: init() got an unexpected keyword argument 'encoders'

What seems to be happening is that your serializer is creating encoders from the session object, and passing them to CBOR2, but CBOR2 no longer wants them, it will pull the encoders from its own default list. This is described in the CBOR2 docs as a backward incompatible change in the library.

Thanks for such a wonderful framework.

I wanted to know if there is any flask integration documentation available.
Or if you can point me to the right direction that'll be of great help.

Cheers.

Is this project still being actively developed? Seems like its been a year since last commit.

Just wondering, thanks!

I'd try to do that myself, but if you use Django yourself, could you put down a few examples in the readme? Because that would be great.

Thanks.

UsernamePasswordToken requires you to give a username and password, but what if you want to log in with email and password?

https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce-/python/sid-6866

Line 123-125:

if self.targets != {self.WILDCARD_TOKEN}:
            if not self.actions >= permission.actions:
                return False

This appears to be a copy+paste error. Line 124 is evaluating the actions part of the permission instead of the targets part. This causes permission checks to fail. Modifying it to evaluate self.targets seems to fix everything.

Hello,

I finally have the time needed to get into Yosai and advance a project. I am getting pip errors (this should be familiar to many):

error: command '/usr/bin/clang' failed with exit status 1

Usually this is an OSX command line tool error. Not this time. It looks like a product of python-rapidjson requirement (https://github.com/YosaiProject/yosai/blob/master/setup.py#L38).

Visiting https://pypi.python.org/pypi/python-rapidjson/ they state:

We do not support legacy python versions, you will need to upgrade to Python 3 to use this library.

So Yosai is Python3 only? I am 2.7, I can go 3.x, but I was not planning on doing a full 3.x move until ~2020.

There could be other dependency issues, the aforementioned requirement was the first clear roadblock I ran into.

I am going to set up a 3.x env and see what happens. Thanks in advance, I will always accept user error as a valid answer.