Security Model¶
What it is¶
Guillotina uses context-aware authorization. Users and groups receive roles, roles grant permissions, and services declare which permission is required for a request to succeed.
Where it appears¶
Authentication identifies the active principal.
Traversal resolves the object context.
Service registration declares a permission.
Security policy checks whether the principal has that permission on the resolved context.
Use permissions on a service¶
from guillotina import configure
from guillotina.interfaces import IContainer
@configure.service(
context=IContainer,
method="GET",
permission="guillotina.ViewContent",
name="@secure-summary",
)
async def secure_summary(context, request):
return {"id": context.id}
Inspect sharing¶
curl -u root:root http://localhost:8080/db/docs/@sharing
Extension points¶
Use permissions on every service that exposes protected data or mutation.
Use local roles when authorization should vary by container or content path.
Keep public endpoints explicit with the appropriate public permission.
Common failures¶
Assigning roles at the wrong level can expose too much content or deny valid access.
Registering a service with a broad context and permissive permission can make it available in more places than intended.
Assuming global roles override contextual checks leads to incorrect security expectations.
Search results are also security-sensitive; catalog queries should not bypass context permissions.