Tres Seaver wrote:
> Chris McDonough wrote:
>> FTR, I tried to apply the patch referenced in Lukasz' email to
>> redirectingformplugin, but as I was doing that, I realized I don't know where
>> SCRIPT_PATH is supposed to come from.  It's not a CGI or WSGI envvar as far 
>> as I
>> can tell and it's not in wsgiorg.routing_args either.  Is it supposed to be
>> I also took a look at FriendlyRedirectingFormPlugin.  FTR, I intend to add 
>> some
>> facility to who in the near future that makes it possible to log a user out
>> without necessarily displaying the challenge form (by maybe allowing the app 
>> to
>> return a 403 Forbidden, which would "forget" credentials but just display the
>> body of the page returned without actually invoking any challenger).
> 403 won't cause any credentials to be forgotten:  it says, "I know who
> you are, and you aren't allowed to access that resource."  Logging out
> should *not* be an exceptional case:  it should just be a redirect to
> whatever view / controller is responsible for triggering the "forget"
> (i.e., clearing the cookie, removing a key from the session, whatever),
> perhaps followed by a redirect to an unprotected "logged out" page (or
> wherever works for the app).

In our model, views/controllers return a status code (or at least a header)
indicating what who should do.  They don't actually do the work themselves.

> The basic auth / digest auth mechanisms *have* to challenge to log out:
>  otherwise, the browser will keep sending the credentials along.

Of course.

- C

Repoze-dev mailing list

Reply via email to