Thanks.
I am going to move all protect JavaScript files in controller.
class JsController(BaseController):
def login(self,access_id):
...
response.headers['Content-Type'] = 'application/
javascript'
return render('/js/login.js')
....
On Apr 23, 10:01 am, "Mike Orr" <[EMAIL PROTECTED]> wrote:
> On Tue, Apr 22, 2008 at 8:32 AM, Jonathan Vanasco <[EMAIL PROTECTED]> wrote:
>
> > I think that the poster is trying to make the directories viewable
> > only to people who have authenticated to the server -- a la .htaccess
>
> > http://wiki.pylonshq.com/pages/viewpage.action?pageId=9011252
> > http://wiki.pylonshq.com/display/pylonscookbook/Authentication+and+Au...
>
> The public directory is served separately from the controllers -- it's
> served by 'static_app' in middleware.py. So a controller-based
> authorization system cannot protect the public directory. I can think
> of only two ways to do this, and neither would be simple for a
> beginner.
>
> 1) Use a middleware-based authentication system such as AuthKit or
> repoze.who. You would also need to wrap 'static_app' in an
> authorization middleware, and I've never seen one of those for Pylons
> so you may have to write your own. There may be one in AuthKit I
> haven't noticed.
>
> 2) Serve the static files inside the controllers. There are two ways
> to do this. One is to create a controller action that serves a
> directory of static files, using paste.urlpasrser.StaticURLParser.
> The other is to use StaticURLParser itself as a pseudo-controller. I
> should make a HOWTO with the steps because I finally got this to work
> for some protected files I have, but not tonight.
>
> But the biggest question is, does your login page depend on any of
> these stylesheets or images? If so, it won't look right if you
> protect them. Likewise if your home page or any other page on the
> site is unprotected.
>
> The second question is, why do you want to protect them? If you're
> trying to prevent unauthorized users from accessing them, protection
> makes sense. But if you want to force authorized users to view them
> only embedded in an HTML page rather than directly -- you can't. If
> the browser can download it to decorate an HTML page with, it can also
> display it directly.
>
> --
> Mike Orr <[EMAIL PROTECTED]>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
