Hello everyone,
It seems odd to me that repoze.who would log someone out who is not
authorized to a certain part of a web site.  Unless I'm doing something
wrong it seems like there is no good way around it either.

The only solution I could find is creating my own redirecting form plugin
that adds a config option for an unauthorized url--so the app can tell the
user they don't belong in this area of the site.  Then I had to remove lines
253 - 259 of middleware.py of repoze.who also,

>         if identifier:
>
>             forget_headers = identifier.forget(environ, identity)
>
>             if forget_headers is None:
>
>                 forget_headers = []
>
>             else:
>
>                 logger and logger.info('forgetting via headers from %s:
>> %s'
>
>                                        % (identifier, forget_headers))
>
>

The custom redirecting form plugin looks like so,

> class MyRedirectingFormPlugin(RedirectingFormPlugin):
>
>
>>     implements(IChallenger, IIdentifier)
>
>
>>     def __init__(self, login_form_url, login_handler_path,
>> logout_handler_path,
>
>                  rememberer_name, unauthorized_url, reason_param='reason'):
>
>         super(MyRedirectingFormPlugin, self).__init__(
>
>             login_form_url,
>
>             login_handler_path,
>
>             logout_handler_path,
>
>             rememberer_name,
>
>             reason_param='reason'
>
>         )
>
>         self.unauthorized_url = unauthorized_url
>
>
>
>
>>     # IChallenger
>
>     def challenge(self, environ, status, app_headers, forget_headers):
>
>         reason = header_value(app_headers,
>> 'X-Authorization-Failure-Reason')
>
>
>
>         if environ.get('repoze.who.identity', False):
>
>             url_parts = list(urlparse.urlparse(self.unauthorized_url))
>
>         else:
>
>             url_parts = list(urlparse.urlparse(self.login_form_url))
>
>
>
>         query = url_parts[4]
>
>         query_elements = cgi.parse_qs(query)
>
>         came_from = environ.get('came_from', construct_url(environ))
>
>         query_elements['came_from'] = came_from
>
>         if reason:
>
>             query_elements[self.reason_param] = reason
>
>         url_parts[4] = urllib.urlencode(query_elements, doseq=True)
>
>         login_form_url = urlparse.urlunparse(url_parts)
>
>         headers = [ ('Location', login_form_url) ]
>
>         cookies = [(h,v) for (h,v) in app_headers if h.lower() ==
>> 'set-cookie']
>
>         headers = headers + forget_headers + cookies
>
>         return HTTPFound(headers=headers)
>
>

Doesn't seem to make sense to log a person out just because they are
unauthorized does it?

I'm really not sure and a little new to all this stuff so please tell me if
there is a better way to do this sort of thing.


thanks,
Nathan
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to