Handling redirects in case security checks fail is quite easy. For eample
the following will set up
a redirect:
#------------------------------------------------------------
from pyramid.exceptions import Forbidden
from pyramid.httpexceptions import HTTPFound
def forbidden_view(forbiddenResponse, request):
return HTTPFound(location='loginform')
def main():
# pyramid view configuration
config.add_view(forbidden_view, context=Forbidden)
#------------------------------------------------------------
Passwort verification itself is not part of pyramids api. It is handled by
your user management.
At least pyramids default AuthTktAuthenticationPolicy and
ACLAuthorizationPolicy has nothing
to do with passwords.
The password should be validated before you call remember.
After that to check user authentication you can use
request.authenticated_userid
and
request.unauthenticated_userid
The second will give you the username even if the user session (stored in a
cookie for example)
has expired.
Hope this helps, Arndt.
2015-01-13 13:31 GMT+01:00 Tom Lazar <[email protected]>:
> just as a general guide line i would always try to implement as much as
> possible via roles and permissions.
>
> in this case i would suggest a role of perhaps Authenticated, Verified and
> Anyonmous and then assign permissions to the views as your business logic
> seems fit.
>
> this reduces the problem scope to assigning the Verified role, perhaps in
> a custom callback.
>
> just a quick thought, hope it helps.
>
> cheers,
>
> tom
>
> On 12 Jan 2015, at 22:33, Theron Luhn <[email protected]> wrote:
>
> I'm working on authorization+authentication for my webapp. The login has
> a "remember" feature so users don't have to log in each visit. As best
> practice, any sensitive features (password changing, user management,
> billing, etc.) should require a user to verify their password before
> continuing. That way a malicious individual couldn't wreak too much havoc
> if a user clicks "remember me" on a public terminal, for example.
>
> I'm trying to figure out a way to implement this with Pyramid's
> authentication+authorization mechanisms. A simple custom authentication
> policy is sufficient to declare a user as "verified" or "unverified", and
> the ACL authorization policy can limit access to the sensitive features to
> verified users. However, I can't figure out how to take the appropriate
> action when access is denied. Depending on the state of the session, I
> need to do one of three things:
>
> - No authenticated session — Redirect user to login form
> - "Unverified" session and attempting to access sensitive feature —
> Redirect user to verify password form
> - Everything else — Show a 403 Forbidden error page.
>
> Any ideas on how I could achieve this?
>
> --
> You received this message because you are subscribed to the Google Groups
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at http://groups.google.com/group/pylons-discuss.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at http://groups.google.com/group/pylons-discuss.
> For more options, visit https://groups.google.com/d/optout.
>
Nive open source releases - http://os.nive.co
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.
