Hash: SHA1

Chris McDonough wrote:
> Tres Seaver wrote:
>> Chris McDonough wrote:
>>> FTR, I tried to apply the patch referenced in Lukasz' email to
>>> redirectingformplugin, but as I was doing that, I realized I don't know 
>>> where
>>> SCRIPT_PATH is supposed to come from.  It's not a CGI or WSGI envvar as far 
>>> as I
>>> can tell and it's not in wsgiorg.routing_args either.  Is it supposed to be
>>> I also took a look at FriendlyRedirectingFormPlugin.  FTR, I intend to add 
>>> some
>>> facility to who in the near future that makes it possible to log a user out
>>> without necessarily displaying the challenge form (by maybe allowing the 
>>> app to
>>> return a 403 Forbidden, which would "forget" credentials but just display 
>>> the
>>> body of the page returned without actually invoking any challenger).
>> 403 won't cause any credentials to be forgotten:  it says, "I know who
>> you are, and you aren't allowed to access that resource."  Logging out
>> should *not* be an exceptional case:  it should just be a redirect to
>> whatever view / controller is responsible for triggering the "forget"
>> (i.e., clearing the cookie, removing a key from the session, whatever),
>> perhaps followed by a redirect to an unprotected "logged out" page (or
>> wherever works for the app).
> In our model, views/controllers return a status code (or at least a header)
> indicating what who should do.  They don't actually do the work themselves.

There *is* no status code corresponding to "log out."  I don't think
logging out can be done cleanly by middleware, fraknly:  I think there
should be a "forgetCredentials" API which the app calls when it knows
that the user has requested a logout.

- --
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

Repoze-dev mailing list

Reply via email to