Hello,
I don't understand verry well how authentication/authorization works with
pyramid. I mean, how the server remembers if the user can access or not to
a classic root like that for instance :
@view_config(
route_name='core/currentUser',
renderer='json'
)
#default permissions already setted to read :
config.set_default_permission('read')
And after the user has already passed the login check function :
@view_config(
route_name=route_prefix+'login',
permission=NO_PERMISSION_REQUIRED,
request_method='POST')
def login(request):
user_id = request.POST.get('user_id', '')
pwd = request.POST.get('password', '')
user = DBSession.query(User).filter(User.id==user_id).one()
if user is not None and user.check_password(pwd):
headers = remember(request, user_id)
response = request.response
response.headerlist.extend(headers)
transaction.commit()
return response
else:
transaction.commit()
return HTTPUnauthorized()
Acutally I want to overwrite the authentication system in order to use a
Json Web Token cookie.
This post presents what I want to do
: https://github.com/ajkavanagh/pyramid_jwtauth/issues/9 (mine)
I started among other stuff to write a JWTAuthTktCookieHelper class in
order to keep more or less the AuthTktAuthenticationPolicy behaviors
(remember function) but with a JWT cookie and through the
JWTAuthenticationPolicy
<https://github.com/ajkavanagh/pyramid_jwtauth/blob/master/pyramid_jwtauth/__init__.py>
(optional,
I can extend AuthTktAuthenticationPolicy). I'm not sure it's enought, I
don't see how the permissions are keeped server side, is it via a session?
Hopping to be clear.
Thank you!
(be back on saturday)
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.
