Thanks for the quick reply. I've already implemented the "user object as a request attribute" pattern.
I noticed what you pasted above is a view, is there no good way to do this with a handler? I've been sticking with handlers thus far because I'm migrating a pylons application. Would I be better served by just using a view in this case? Thanks, Walden On Aug 6, 4:09 pm, Mariano Mara <[email protected]> wrote: > On 06.08.11 12:50, walden wrote: > > > > > > > > > > > Hello, > > > I've tried searching all over the documentation and the web, but > > please pardon me if I missed the answer. > > > I'm in the process of migrating from Pylons 1.0 to Pyramid and I'm > > wondering how I should present a login form when using pyramid's > > handlers? I only want this login form to display if the user is not > > logged in. If they are logged in and don't have access to the page > > the forbidden page should be displayed. > > > Ideally I'd like an action to be called to set up some variables in > > the template; for example: > > > config.add_handler('display_login', '/login', > > 'appname.handlers.auth:AuthHandler', action='display_login', > > request_method='GET') > > > @action(renderer='login.mako') > > def > > display_login(self): > > """Display the login > > form.""" > > return {'error_count': 0, 'came_from': self.request.url} > > > I tried using config.add_view() ala: > > > config.add_view(renderer='appname:templates/login.mako', > > context='pyramid.exceptions.Forbidden') > > > and it sort of works but it simply renders the template (as expected) > > rather than "redirecting" to /login. My guess is that would also > > display the login page in the second case where the user is logged in > > but does not have access. > > > So how to do this properly? Thanks for your replies and let me know > > if you need any other code from my app to help diagnose. > > > Cheers > > Walden > > I found the Wiki Flow of Authentication recipe[1] most useful when I was > implementing login handlers in my first pyramid project. > Basically what I do is: > 1- implement the "user object as a request attribute" pattern[2] > 2- protect every view that's not for public use and redirect to the Forbidden > view > 3- In my forbidden view I evaluate is a valid "user" exists as a request > attribute. If it does, they are forbidden the access, if it does not exist, I > show the login page. > e.g.: > > def forbidden(request): > > _ = request.translate > > title = _(u'my site') > # if no user instance exists in request, we need to log in > > if not isinstance(request.user, User): > > login_url = route_url('login', request) > > referrer = request.url > > if referrer == login_url: > > referrer = '/' # never use the login form itself as came_from > > came_from = request.params.get('came_from', referrer) > > message = '' > > login = '' > > password = '' > > if 'form.submitted' in request.params: > > login = request.params['login'] > > password = request.params['password'] > > try: > > # I check the provided password here > if User.login(login, password): > > headers = remember(request, login) > > # and check other stuff, such as temporary password, etc > usr=DBSession.query(User).get(login) > > if usr.temporarypass == False: > > return HTTPFound(location = came_from, > > headers = headers) > > else: > > return HTTPFound(location = request.application_url + > '/users/change_pass', > headers = headers) > > except Exception, errmsg: > > message = errmsg.args[0] > > return dict( > > message = message, > > url = request.application_url + '/login', > > came_from = came_from, > > login = login, > > password = password, > > title = title > > ) > > # if an user exists, it means we are not authorized to view this page > > else: > > return dict( > > message = _(u'You are not authorized to view this page'), > > title = title > ) > > [1]http://docs.pylonsproject.org/projects/pyramid_cookbook/dev/wiki2_aut... > [2]http://docs.pylonsproject.org/projects/pyramid_cookbook/dev/authentic... -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
