-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nathan Van Gheem wrote:
> Hello everyone,
> It seems odd to me that repoze.who would log someone out who is not
> authorized to a certain part of a web site. Unless I'm doing something
> wrong it seems like there is no good way around it either.
>
> The only solution I could find is creating my own redirecting form plugin
> that adds a config option for an unauthorized url--so the app can tell the
> user they don't belong in this area of the site. Then I had to remove lines
> 253 - 259 of middleware.py of repoze.who also,
>
>> if identifier:
>>
>> forget_headers = identifier.forget(environ, identity)
>>
>> if forget_headers is None:
>>
>> forget_headers = []
>>
>> else:
>>
>> logger and logger.info('forgetting via headers from %s:
>>> %s'
>> % (identifier, forget_headers))
>>
>>
>
> The custom redirecting form plugin looks like so,
>
>> class MyRedirectingFormPlugin(RedirectingFormPlugin):
>>
>>
>>> implements(IChallenger, IIdentifier)
>>
>>> def __init__(self, login_form_url, login_handler_path,
>>> logout_handler_path,
>> rememberer_name, unauthorized_url, reason_param='reason'):
>>
>> super(MyRedirectingFormPlugin, self).__init__(
>>
>> login_form_url,
>>
>> login_handler_path,
>>
>> logout_handler_path,
>>
>> rememberer_name,
>>
>> reason_param='reason'
>>
>> )
>>
>> self.unauthorized_url = unauthorized_url
>>
>>
>>
>>
>>> # IChallenger
>> def challenge(self, environ, status, app_headers, forget_headers):
>>
>> reason = header_value(app_headers,
>>> 'X-Authorization-Failure-Reason')
>>
>>
>> if environ.get('repoze.who.identity', False):
>>
>> url_parts = list(urlparse.urlparse(self.unauthorized_url))
>>
>> else:
>>
>> url_parts = list(urlparse.urlparse(self.login_form_url))
>>
>>
>>
>> query = url_parts[4]
>>
>> query_elements = cgi.parse_qs(query)
>>
>> came_from = environ.get('came_from', construct_url(environ))
>>
>> query_elements['came_from'] = came_from
>>
>> if reason:
>>
>> query_elements[self.reason_param] = reason
>>
>> url_parts[4] = urllib.urlencode(query_elements, doseq=True)
>>
>> login_form_url = urlparse.urlunparse(url_parts)
>>
>> headers = [ ('Location', login_form_url) ]
>>
>> cookies = [(h,v) for (h,v) in app_headers if h.lower() ==
>>> 'set-cookie']
>> headers = headers + forget_headers + cookies
>>
>> return HTTPFound(headers=headers)
>>
>>
>
> Doesn't seem to make sense to log a person out just because they are
> unauthorized does it?
>
> I'm really not sure and a little new to all this stuff so please tell me if
> there is a better way to do this sort of thing.
The "correct" behavior for the application to return a "Forbidden" error
response (HTTP response code 403) for authenticated users, and only
raise an "Unauthorized" (401) for anonymous users: the 401 response is
misnamed, but the semantics defined in RFC 2615[1] clearly require a
fresh challenge.
[1] See section 10.4.2 and 10.4.4 of http://www.ietf.org/rfc/rfc2616.txt
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKUOwl+gerLs4ltQ4RArnxAJsFbw+yebq0gc270sLuaK1pTFfEJQCgkdE/
GB+DLpsoK7i601D5okeDzwM=
=rX2o
-----END PGP SIGNATURE-----
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
