Restrict the access of anonymous users to GNU MediaGoblin

jerome bc54ea98b4 [doc] Attempt to fix code blocks rendering of README.md 4 months ago
mediagoblin_private [enh] Do not restrict the access to path which starts with /auth/ 1 year ago
.gitignore Initial commit 1 year ago
CHANGELOG [rel] Release v0.2.0 1 year ago
LICENSE Initial commit 1 year ago
MANIFEST.in [fix] Add MANIFEST.in for the distribution 1 year ago
README.md [doc] Attempt to fix code blocks rendering of README.md 4 months ago
README.rst [doc] Give a more complete usage example in README 1 year ago
setup.py [rel] Release v0.2.0 1 year ago

README.md

mediagoblin-private

This plugins restricts the access of anonymous users to your GNU MediaGoblin instance. You can choose between denying the access - and allowing as needed some route paths - or allowing it by default - and denying some route paths.

Set up the private plugin

  1. Install this Python package from PyPi.

    $ pip install mediagoblin-private
    

    Or if you've checked out this plugin, you should be able to build and install it in the same virtual environment than MediaGoblin. Let's say it's in the same parent directory, you can execute:

    $ ../mediagoblin/bin/python setup.py build
    $ ../mediagoblin/bin/python setup.py install
    
  2. Enable the mediagoblin-private plugin by adding the following line to the [plugins] section of your MediaGoblin configuration file.

    [[mediagoblin_private]]
    
  3. Restart the MediaGoblin instance for the configuration file changes to be effective.

Configure the private plugin

You should first set deny_access value to define if the access must be denied - e.g. true, the default - or allowed - e.g. false - to anonymous users.

You can also define some route paths exceptions to reverse the restriction behaviour. It could be useful if you want to deny the access of your instance but keep some public pages, for example. You would also want to keep an open MediaGoblin instance but deny the access of anonymous users to some pages or media. Anyway, you can set the following to define your exceptions:

  • path_exceptions: a list - e.g. comma-separated values - of strict route path for which the access will either be denied or allowed.
  • path_regex_exceptions: a list of regular expression to match the route path to either deny or allow - see the Regular Expression HOWTO.

Note that route path which starts with /auth/ will always be allowed.

As an example, the following deny the access of anonymous users to your MediaGoblin instance except for the homepage - e.g. /, an about page at /about/ and route paths which starts with /public/:

[[mediagoblin_private]]
deny_access = true
path_exceptions = '/', '/about/'
path_regex_exceptions = '/public/.*',

Do not forget the trailing comma in case of a single item in the path_exceptions or path_regex_exceptions list!