repoze.what – Authorization for WSGI applications

Author:Gustavo Narea.
Latest version:1.0.9


repoze.what is an authorization framework for WSGI applications, based on repoze.who (which deals with authentication and identification).

On the one hand, it enables an authorization system based on the groups to which the authenticated or anonymous user belongs and the permissions granted to such groups by loading these groups and permissions into the request on the way in to the downstream WSGI application.

And on the other hand, it enables you to manage your groups and permissions from the application itself or another program, under a backend-independent API. For example, it would be easy for you to switch from one back-end to another, and even use this framework to migrate the data.

This is just the authorization pattern it supports out-of-the-box, but you can may it support other authorization patterns with your own predicates. It’s highly extensible, so it’s very unlikely that it will get in your way – Among other things, you can extend it to check for many conditions (such as checking that the user comes from a given country, based on her IP address, for example).


Unless mentioned otherwise, the following features are available in repoze.what and its official plugins:

  • Web framework independent. You can use it on any WSGI application and any WSGI framework (or no framework at all). Web frameworks may provide integration with it (like TurboGears 2, which features a strong integration with repoze.what).
  • Authorization only. It doesn’t try to be an all-in-one auth monster – it will only do authorization and nothing else.
  • Highly extensible. It’s been created with extensibility in mind, so that it won’t get in your way and you can control authorization however you want or need, either with official components, third party plugins or your own plugins.
  • Fully documented. If it’s not described in the manual, it doesn’t exist. Everything is documented along with examples.
  • Reliable. We are committed to keep the code coverage at 100%.
  • Control access to any resource. Although it’s only recommended to control authorization on action controllers, you can also use it to restrict access to other things in your package (e.g., only allow access to a database table if the current user is the admin).
  • If you use the groups/permissions-based authorization pattern, your application’s groups and permissions may be stored in an SQLAlchemy or Elixir-managed database, in .ini files or in XML files (although you may also create your own adapters!).
  • The only requirement is that you use the powerful and extensible repoze.who authentication framework (which can be configured for you with the quickstart <repoze.what.plugins.quickstart plugin).
  • It works with Python 2.4, 2.5 and 2.6.
  • It’s not hard to get started!

And according to the to-do list, we will have official plugins to:

  • Enable OAuth support.
  • Enable authorization based on certain network conditions (e.g., grant access if the user’s IP address belongs to a given IP range, deny access if the user’s host name is “”, grant access based on the user’s ISP).
  • Enable authorization based on client-side SSL certificates (e.g., allow access if the Certificate Authority is XYZ, allow access if the user is called “John Smith” or “Foo Bar”).
  • Enable authorization based on LDAP attributes of the authenticated user’s entry (e.g., allow access if the user can be reached at a cellular phone, allow access if the user belongs to the “ABC” organization), as well as the ability to re-use LDAP Organizational Units as groups.
  • Enable a highly extensible CAPTCHA driven authorization mechanism to restrict access to a given resource (possibly the hardest to create plugin).
  • Store groups in Htgroups.

How to install

The only requirement of repoze.what is repoze.who and you can install both by running:

easy_install repoze.what

The development mainline is available at the following Subversion repository:

Framework-specific documentation

The following documents will help you implement repoze.what in your framework (if any):

If you have written documents to implement repoze.what in a web framework, please let us know to get a link here.

How to get help?

The prefered place to ask questions is the Repoze mailing list or the #repoze IRC channel. Bugs reports and feature requests should be sent to the issue tracker of the Repoze project.

If you have problems, please don’t forget to include the output of your application with the AUTH_LOG environment variable set to 1 when you get in touch with us. For example, if your application is based on TurboGears or Pylons, you may run it with the following command:

AUTH_LOG=1 paster serve --reload development.ini