On Wednesday, 20 June 2012 15:33:15 UTC+1, Chris McDonough wrote: > > On 06/20/2012 10:07 AM, Ben Sizer wrote: > > I have set up my Session object the usual way, via a session factory, > etc. > > > > SessionAuthenticationPolicy looks like exactly what I need, but are > > there any examples of its use? It would be handy to know where it pulls > > userids from, for example. Also it seems to want to be reading and > > writing auth values to the session itself, so does that affect how I > > have mark a user as logged in? > > See the "callback" argument to its constructor. It's meant to be a > function that accepts a user id and returns one of: > > - A sequence of group ids > > - An empty sequence (no groups associated with the user) > > - None > > If it returns None, it means that the userid doesn't exist in the > database. If it returns a sequence (either empty or populated), it > means the user exists in the database. > > How you implement the callback is up to you. >
Thanks Chris. My issue was about what all that stuff means though - for example, I didn't know what 'user id' means in this context, whether it was something specific to Pyramid, whether I get any control over what that type is, etc. It isn't clear in the docs where the system gets this value from, so it's hard to know what you would compare it to. But I think I worked out that it's an arbitrary type which you pass in via remember(). Similarly, I don't have user groups in my system so when you say "a sequence of group ids" it's a bit confusing, as are several references to 'groupfinder' functions in examples and code. I am just returning the original user_id wrapped in a list, and that seems to work. As I understand it, the system works somewhat like this: - to log in, your app must check the credentials, and then stores a user id in the Authentication policy via the 'remember' function. - the SessionAuthenticationPolicy implements remember() via storing that user id in the current session; - if you use unauthenticated_userid() in your app, SessionAuthenticationPolicy will pull that user id value back from the session; - if you use authenticated_userid() in your app, it'll call the callback you specified for the Authentication policy to check that the user id still exists before returning it; - to log out, your app removes the user id from the session via the 'forget' function. Is that about right? I'm still a bit fuzzy on what exactly a principal means, but from a quick look at the code I think I can ignore most of that since I never call effective_principals() and don't currently need to support groups of users. One more thing is that I don't fully understand is the use of forget() and session.invalidate(). I would like to be able to clear the cookie and destroy the server-side data at the same time when logging out - should I just call forget followed by invalidate(), and keep all cookie-related information out of invalidate()? -- Ben Sizer -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To view this discussion on the web visit https://groups.google.com/d/msg/pylons-discuss/-/Ed2dZ_J67E8J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
