Skip to main content

SQLAlchemy-based PAS user/group/prop store.

Project description

SQLAlchemy PAS plugin

This package provides a Zope 2 PAS plugin implementation (Pluggable Authentication Service) based on the SQLAlchemy database abstraction layer.

It allows you to store and query users and groups using a SQL database.

This package replaces the SQLPASPlugin. product. It is technically a fork of that codebase. Some tests have been rewritten but most are preserved.

Although not currently provided in a stable release, it’s used in production (tested against the pysqlite and PostgreSQL databases only).


To configure the plugin with a database, use z3c.saconfig. Define a named scoped session pas.plugins.sqlalchemy in your configure.zcml or in the zcml-additional parameter of the plone.recipe.zope2instance recipe in your buildout.


<configure xmlns="">
  <include package="z3c.saconfig" file="meta.zcml"/>

  <engine name="pas" url="postgresql://localhost/pas" />
  <session name="pas.plugins.sqlalchemy" engine="pas" />


Install the plugin using the included GenericSetup-profile. Note that tables will be created automatically on installation.

You can reinstall anytime to create non-existing tables. Note that tables are preserved on uninstallation.

Configuration from Plone

As an alternative to specifying the database connection information in zcml, you can use collective.saconnect to make your connections configurable on the plone control panel.

Install the package by adding it to your buildout, then install the add-on it in your plone site through Plone’s control panel. You now have a new control panel that allows you to create and edit database connections.

To add connections with generic setup add a file saconnections.xml to the generic setup profile of your site setup package, with the following content:

<?xml version="1.0"?>

For good performance, don’t forget to enable caching within the ZMI.

More information is available in the package description.

Custom principal, user and group model

You can register your own SQLAlchemy-based model class for all three categories.

The required class interfaces (required methods and attributes) are described in the interfaces module. Note that you can simply subclass from the default models which implement the required interfaces.

The settings are accessible in the ZMI. You can also use a custom setup handler.


def setup_pas_plugin(self):
    pas = self.acl_users
    plugin = pas['sql']


You may need to make sure the plugins are prioritized higher than the default ones (typically ZODB-based).


These items are on the to-do list:

  • Post-only security.

  • Review of implemented interfaces - is the implementation complete?

  • Handle groups title, description and email, to match newer versions of Plone.

  • Tests for configuration of external model.





  • Thanks to Inc. for financing the development of SQLPASPlugin

  • Thanks to Statens Byggeforskninginstitut ( for sponsoring the caching support.

  • Thanks to Gis & Web S.r.l. ( for sponsoring the groups management support.

  • Thanks to the Ocean Tracking Network ( for adding Group Capabilities and migration of existing users.


GNU GPL v2 (see LICENCE.txt for details)


0.4.1 (2017-10-23)

  • Fixed brown bag release. [malthe]

0.4 (2016-03-31)

  • added link to cache settings view in zmi [agitator]

  • fix: getPropertiesForUser uses principals _properties mapping now to map to the column used for zope_id id this is needed. [jensens]

  • do not expect a configured database connection on plugin install time in order to play nice with collective.saconnect. Also be less verbose if there is no connection configured. [jensens]

  • fix: different custom setup un-/install marker for install and uninstall [jensens]

  • Standardize name of installation profile to default. [jensens]

  • modernized: Pep8, Travis CI, … [jensens]

  • using _get_principal_by_id to get principal in doChangeUser, doDeleteUser, and allowPasswordSet methods [gborelli]

  • using ‘__mapper__’ instead of ‘__table__’ to check Column type. It allows to customize user model in another class with polymorphic_identity [gborelli]

  • fixed getPropertiesForUser, return None if principal doesn’t exist [gborelli]

  • check if principal exists before updating its properties [gborelli]

  • Fixed methods doSetProperty and setPropertiesForUser such that they accept a generic principal and not necessarily an instance of the plugin’s principal class. [malthe]

  • Wrap user properties in an actually mutable user property sheet (which writes changes back to the plugin). Previously, a mutable property sheet was returned, but this is incorrect since changes aren’t persisted.

    While the PAS interface specifies that a dict should be returned for an immutable result, we opt for a hybrid: a dict-aware user property sheet which does not promise mutability. The motivation is that the pluggable authentication service only supports a select list of property value types and not, for instance, Python’s own date and time classes. By returning a property sheet, we can provide a schema explicitly and not force the authentication service to “guess” (infer) it. [malthe]

0.3 (2011-10-13)

  • Fire IPropertiesUpdated (from PAS) event on setPropertiesForUser to allow components to take action when user properties are updated. [malthe]

  • Merged SVN repository (select branches) into the existing Github repository to consolidate improvements. [malthe]

  • Add title and description to groups.

    GetRolesForPrincipal needs to listen to __ignore_group_roles__ and __ignore_direct_roles__ from the request to work with plone 4. GetRolesForPrincipal needs to take group roles into account as default. [sunew]

  • Merged many changes from the branches: wichert-flexible, wichert-flexible-pw-encryption, zedr-mysql-optimized, auspex.

    Version 0.3 is not compatible with the earlier versions, upgrading will require some migration (not included). [sunew]

  • Seperate user_id and login - as in PAS. (Not complete?) [wichert]

  • Refactor user, group, and principal classes to enable more sharing of functionality between groups and users. [wichert]

  • Length of varchars to be compatible with MySQL [auspex, wichert, sunew, zedr]

  • Cleaned up the properties - only the plone properties are in the model now. Override the model if you need more fields. [sunew]

  • Password and salt readonly. [wichert, sunew]

  • remove IUpdatePlugin related stuff. Not used. [wichert]

  • Make models configurable via dotted path zmi properties. [wichert]

  • Also make the Principal class configurable. [sunew]

  • Add missing security declarations (match those for the same methods in PlonePAS and PluggableAuthService). [sunew]

  • Fully implement IRoleAssignerPlugin: missed doRemoveRoleFromPrincipal. [sunew]

  • More tests, tests pass for plone 4.0.7. [sunew]

0.2.1 (unreleased)

  • Fixed some tests. Now tests passes on plone 4.0.7. [sunew]

  • Convert to and from UTF-8 and unicode. Plone uses UTF-8 internally and most Python deployments will coerce using the ‘ascii’ codec, resulting in unicode decode errors. [mborch]

0.2 (released 2009/7/17)

  • Changed the ‘listed’ and ‘ext_editor’ column type to ‘Integer’ match the Plone model. [seletz]

0.1 (released 2009/7/17)

  • Initial public release.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pas.plugins.sqlalchemy-0.4.1.tar.gz (26.1 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page