kotti.security.has_permission(permission, context, request)[source]

Check if the current request has a permission on the given context.

Deprecated since version 0.9.

  • permission (str) – permission to check for
  • context (:class:kotti.resources.Node) – context that should be checked for the given permission
  • request (kotti.request.Request) – current request

True if request has the permission, False else

Return type:


class kotti.security.Principal(name, password=None, active=True, confirm_token=None, title=u'', email=None, groups=None)[source]

A minimal ‘Principal’ implementation.

The attributes on this object correspond to what one ought to implement to get full support by the system. You’re free to add additional attributes.

  • As convenience, when passing ‘password’ in the initializer, it is hashed using ‘get_principals().hash_password’
  • The boolean ‘active’ attribute defines whether a principal may log in. This allows the deactivation of accounts without deleting them.
  • The ‘confirm_token’ attribute is set whenever a user has forgotten their password. This token is used to identify the receiver of the email. This attribute should be set to ‘None’ once confirmation has succeeded.
class kotti.security.AbstractPrincipals[source]

This class serves as documentation and defines what methods are expected from a Principals database.

Principals mostly provides dict-like access to the principal objects in the database. In addition, there’s the ‘search’ method which allows searching users and groups.

‘hash_password’ is for initial hashing of a clear text password, while ‘validate_password’ is used by the login to see if the entered password matches the hashed password that’s already in the database.

Use the ‘kotti.principals’ settings variable to override Kotti’s default Principals implementation with your own.


Return a list of principal ids that are in the database.


Return an iterable with principal objects that correspond to the search arguments passed in.

This example would return all principals with the id ‘bob’:


Here, we ask for all principals that have ‘bob’ in either their ‘name’ or their ‘title’. We pass ‘bob‘ instead of ‘bob’ to indicate that we want case-insensitive substring matching:

get_principals().search(name=u’bob‘, title=u’bob‘)

This call should fail with AttributeError unless there’s a ‘foo’ attribute on principal objects that supports search:

get_principals().search(name=u’bob’, foo=u’bar’)

Return a hash of the given password.

This is what’s stored in the database as ‘principal.password’.

validate_password(clear, hashed)[source]

Returns True if the clear text password matches the hash.

kotti.security.list_groups(name, context=None)[source]

List groups for principal with a given name.

The optional context argument may be passed to check the list of groups in a given context.

kotti.security.set_groups(name, context, groups_to_set=())[source]

Set the list of groups for principal with given name and in given context.

kotti.security.list_groups_callback(name, request)[source]

List the groups for the principal identified by name. Consider authz_context to support assigment of local roles to groups.

kotti.security.principals_with_local_roles(context, inherit=True)[source]

Return a list of principal names that have local roles in the context.

class kotti.security.Principals[source]

Kotti’s default principal database.

Look at ‘AbstractPrincipals’ for documentation.

This is a default implementation that may be replaced by using the ‘kotti.principals’ settings variable.


alias of Principal


Produce a conjunction of expressions joined by OR.


from sqlalchemy import or_

stmt = select([users_table]).where(
                    users_table.c.name == 'wendy',
                    users_table.c.name == 'jack'

The or_() conjunction is also available using the Python | operator (though note that compound expressions need to be parenthesized in order to function with Python operator precedence behavior):

stmt = select([users_table]).where(
                (users_table.c.name == 'wendy') |
                (users_table.c.name == 'jack')

See also