Tres Seaver wrote: > Chris McDonough wrote: >> FTR, I tried to apply the patch referenced in Lukasz' email to >> redirectingformplugin, but as I was doing that, I realized I don't know where >> SCRIPT_PATH is supposed to come from. It's not a CGI or WSGI envvar as far >> as I >> can tell and it's not in wsgiorg.routing_args either. Is it supposed to be >> SCRIPT_NAME? > >> I also took a look at FriendlyRedirectingFormPlugin. FTR, I intend to add >> some >> facility to who in the near future that makes it possible to log a user out >> without necessarily displaying the challenge form (by maybe allowing the app >> to >> return a 403 Forbidden, which would "forget" credentials but just display the >> body of the page returned without actually invoking any challenger). > > 403 won't cause any credentials to be forgotten: it says, "I know who > you are, and you aren't allowed to access that resource." Logging out > should *not* be an exceptional case: it should just be a redirect to > whatever view / controller is responsible for triggering the "forget" > (i.e., clearing the cookie, removing a key from the session, whatever), > perhaps followed by a redirect to an unprotected "logged out" page (or > wherever works for the app).
In our model, views/controllers return a status code (or at least a header) indicating what who should do. They don't actually do the work themselves. > The basic auth / digest auth mechanisms *have* to challenge to log out: > otherwise, the browser will keep sending the credentials along. Of course. - C _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev