-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nathan Van Gheem wrote: > Hello everyone, > It seems odd to me that repoze.who would log someone out who is not > authorized to a certain part of a web site. Unless I'm doing something > wrong it seems like there is no good way around it either. > > The only solution I could find is creating my own redirecting form plugin > that adds a config option for an unauthorized url--so the app can tell the > user they don't belong in this area of the site. Then I had to remove lines > 253 - 259 of middleware.py of repoze.who also, > >> if identifier: >> >> forget_headers = identifier.forget(environ, identity) >> >> if forget_headers is None: >> >> forget_headers = [] >> >> else: >> >> logger and logger.info('forgetting via headers from %s: >>> %s' >> % (identifier, forget_headers)) >> >> > > The custom redirecting form plugin looks like so, > >> class MyRedirectingFormPlugin(RedirectingFormPlugin): >> >> >>> implements(IChallenger, IIdentifier) >> >>> def __init__(self, login_form_url, login_handler_path, >>> logout_handler_path, >> rememberer_name, unauthorized_url, reason_param='reason'): >> >> super(MyRedirectingFormPlugin, self).__init__( >> >> login_form_url, >> >> login_handler_path, >> >> logout_handler_path, >> >> rememberer_name, >> >> reason_param='reason' >> >> ) >> >> self.unauthorized_url = unauthorized_url >> >> >> >> >>> # IChallenger >> def challenge(self, environ, status, app_headers, forget_headers): >> >> reason = header_value(app_headers, >>> 'X-Authorization-Failure-Reason') >> >> >> if environ.get('repoze.who.identity', False): >> >> url_parts = list(urlparse.urlparse(self.unauthorized_url)) >> >> else: >> >> url_parts = list(urlparse.urlparse(self.login_form_url)) >> >> >> >> query = url_parts[4] >> >> query_elements = cgi.parse_qs(query) >> >> came_from = environ.get('came_from', construct_url(environ)) >> >> query_elements['came_from'] = came_from >> >> if reason: >> >> query_elements[self.reason_param] = reason >> >> url_parts[4] = urllib.urlencode(query_elements, doseq=True) >> >> login_form_url = urlparse.urlunparse(url_parts) >> >> headers = [ ('Location', login_form_url) ] >> >> cookies = [(h,v) for (h,v) in app_headers if h.lower() == >>> 'set-cookie'] >> headers = headers + forget_headers + cookies >> >> return HTTPFound(headers=headers) >> >> > > Doesn't seem to make sense to log a person out just because they are > unauthorized does it? > > I'm really not sure and a little new to all this stuff so please tell me if > there is a better way to do this sort of thing.
The "correct" behavior for the application to return a "Forbidden" error response (HTTP response code 403) for authenticated users, and only raise an "Unauthorized" (401) for anonymous users: the 401 response is misnamed, but the semantics defined in RFC 2615[1] clearly require a fresh challenge. [1] See section 10.4.2 and 10.4.4 of http://www.ietf.org/rfc/rfc2616.txt Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKUOwl+gerLs4ltQ4RArnxAJsFbw+yebq0gc270sLuaK1pTFfEJQCgkdE/ GB+DLpsoK7i601D5okeDzwM= =rX2o -----END PGP SIGNATURE----- _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev