On 06.08.11 12:50, walden wrote:
> Hello,
>
> I've tried searching all over the documentation and the web, but
> please pardon me if I missed the answer.
>
> I'm in the process of migrating from Pylons 1.0 to Pyramid and I'm
> wondering how I should present a login form when using pyramid's
> handlers? I only want this login form to display if the user is not
> logged in. If they are logged in and don't have access to the page
> the forbidden page should be displayed.
>
> Ideally I'd like an action to be called to set up some variables in
> the template; for example:
>
> config.add_handler('display_login', '/login',
> 'appname.handlers.auth:AuthHandler', action='display_login',
> request_method='GET')
>
>
> @action(renderer='login.mako')
> def
> display_login(self):
> """Display the login
> form."""
> return {'error_count': 0, 'came_from': self.request.url}
>
> I tried using config.add_view() ala:
>
> config.add_view(renderer='appname:templates/login.mako',
> context='pyramid.exceptions.Forbidden')
>
> and it sort of works but it simply renders the template (as expected)
> rather than "redirecting" to /login. My guess is that would also
> display the login page in the second case where the user is logged in
> but does not have access.
>
> So how to do this properly? Thanks for your replies and let me know
> if you need any other code from my app to help diagnose.
>
> Cheers
> Walden
>
I found the Wiki Flow of Authentication recipe[1] most useful when I was
implementing login handlers in my first pyramid project.
Basically what I do is:
1- implement the "user object as a request attribute" pattern[2]
2- protect every view that's not for public use and redirect to the Forbidden
view
3- In my forbidden view I evaluate is a valid "user" exists as a request
attribute. If it does, they are forbidden the access, if it does not exist, I
show the login page.
e.g.:
def forbidden(request):
_ = request.translate
title = _(u'my site')
# if no user instance exists in request, we need to log in
if not isinstance(request.user, User):
login_url = route_url('login', request)
referrer = request.url
if referrer == login_url:
referrer = '/' # never use the login form itself as came_from
came_from = request.params.get('came_from', referrer)
message = ''
login = ''
password = ''
if 'form.submitted' in request.params:
login = request.params['login']
password = request.params['password']
try:
# I check the provided password here
if User.login(login, password):
headers = remember(request, login)
# and check other stuff, such as temporary password, etc
usr=DBSession.query(User).get(login)
if usr.temporarypass == False:
return HTTPFound(location = came_from,
headers = headers)
else:
return HTTPFound(location = request.application_url +
'/users/change_pass',
headers = headers)
except Exception, errmsg:
message = errmsg.args[0]
return dict(
message = message,
url = request.application_url + '/login',
came_from = came_from,
login = login,
password = password,
title = title
)
# if an user exists, it means we are not authorized to view this page
else:
return dict(
message = _(u'You are not authorized to view this page'),
title = title
)
[1]
http://docs.pylonsproject.org/projects/pyramid_cookbook/dev/wiki2_auth.html
[2]
http://docs.pylonsproject.org/projects/pyramid_cookbook/dev/authentication.html
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
