I have ran across something which I find as a bit of odd behaviour with authkit.
I currently have authkit setup so that on requests where there is no valid user (not logged in) it will forward to the login page. This makes perfectly good sense with respect to GET method requests. However, it does the exact same behaviour for POST method requests as well. In our application we have both a 'login' controller action that handles GET requests and a 'login' controller action that handles POST requests (the actual posting of the login form.) I would guess this is a pretty typical pattern. Therefore, if you have a RESTful API for other POST method controller actions that are protected by authentication, authkit forward those as well to 'login' if there is no logged in user. The original posted parameters are then posted to 'login' and the login fails with whatever error messages you have for login failures. It seems to me that a more elegant behaviour would be to only do the forwarding/redirecting if it is a GET request. All other methods should return the appropriate HTTP return code (in this case a 401 Not Authenticated.) Has anybody else experienced this or worked around this behaviour? -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
