Thanks.
I am going to move all protect JavaScript files in controller. class JsController(BaseController): def login(self,access_id): ... response.headers['Content-Type'] = 'application/ javascript' return render('/js/login.js') .... On Apr 23, 10:01 am, "Mike Orr" <[EMAIL PROTECTED]> wrote: > On Tue, Apr 22, 2008 at 8:32 AM, Jonathan Vanasco <[EMAIL PROTECTED]> wrote: > > > I think that the poster is trying to make the directories viewable > > only to people who have authenticated to the server -- a la .htaccess > > > http://wiki.pylonshq.com/pages/viewpage.action?pageId=9011252 > > http://wiki.pylonshq.com/display/pylonscookbook/Authentication+and+Au... > > The public directory is served separately from the controllers -- it's > served by 'static_app' in middleware.py. So a controller-based > authorization system cannot protect the public directory. I can think > of only two ways to do this, and neither would be simple for a > beginner. > > 1) Use a middleware-based authentication system such as AuthKit or > repoze.who. You would also need to wrap 'static_app' in an > authorization middleware, and I've never seen one of those for Pylons > so you may have to write your own. There may be one in AuthKit I > haven't noticed. > > 2) Serve the static files inside the controllers. There are two ways > to do this. One is to create a controller action that serves a > directory of static files, using paste.urlpasrser.StaticURLParser. > The other is to use StaticURLParser itself as a pseudo-controller. I > should make a HOWTO with the steps because I finally got this to work > for some protected files I have, but not tonight. > > But the biggest question is, does your login page depend on any of > these stylesheets or images? If so, it won't look right if you > protect them. Likewise if your home page or any other page on the > site is unprotected. > > The second question is, why do you want to protect them? If you're > trying to prevent unauthorized users from accessing them, protection > makes sense. But if you want to force authorized users to view them > only embedded in an HTML page rather than directly -- you can't. If > the browser can download it to decorate an HTML page with, it can also > display it directly. > > -- > Mike Orr <[EMAIL PROTECTED]> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---