I think I've found a couple of bugs in auth_tkt in tokens handling. In auth_tkt.set_user_cookie() the tokens (assuming are passed as a sequence) are joined together (http://trac.pythonpaste.org/pythonpaste/browser/Paste/trunk/paste/auth/auth_tkt.py#L286) to form a list which is written in the cookie afterwards. And this is fine. The problem arises when some lines below (http://trac.pythonpaste.org/pythonpaste/browser/Paste/trunk/paste/auth/auth_tkt.py#L81) this `tokens` object is passed to the AuthTicket constructor in where they are, once again, joined together. The result will be "t,o,k,e,n" instead of "token" in the cookie which breaks any kind of code relying on that.
I think it's safer to move the "if isinstance()" check in the AuthTicket constructor. At this time we monkey patched the set_user_cookie method. The other bug I encountered is the lack of REMOTE_USER_TOKENS in the environ in our application using auth_tkt. This was fixed by inserting "environ['REMOTE_USER_TOKENS'] = ticket.tokens" befor this line http://trac.pythonpaste.org/pythonpaste/browser/Paste/trunk/paste/auth/auth_tkt.py#L305 HTH -- Lawrence, stacktrace.it - oluyede.org - neropercaso.it "It is difficult to get a man to understand something when his salary depends on not understanding it" - Upton Sinclair _______________________________________________ Paste-users mailing list [email protected] http://webwareforpython.org/cgi-bin/mailman/listinfo/paste-users
