I'm going to claim ignorance here.
I don't use tokens, and to be honest, if I had it to do all over again, I
wouldn't expose them in the r.who API at all. auth_tkt has severe featureitis:
tokens vs. user_data, and other distinctions that nobody really needs or
understands at all.
That said, given that I neither use nor understand their purpose of tokens, I'd
be apt to take any patch that made the feature useful to someone.
On 4/3/10 6:54 PM, Matt Goodall wrote:
> I was just experimenting with adding a token to the auth_tkt cookie
> but I think the current implementation is incorrect.
> The repoze.who code is trying to handle a string or a list by
> converting a list into a comma-separated string before calling paste's
> auth_tkt. However, Paste is documented as expecting "a list of
> strings". As a result, repoze.who gets it wrong whatever you pass as
> * 'foo' is added to the cookie as 'f,o,o'; should be 'foo'
> * ['foo'] is added to the cookie as 'f,o,o'; should be 'foo'
> * ['foo', 'bar'] is added to the cookie as 'f,o,o,,,b,a,r'; should be
> (Paste also allows a token containing a comma which really screws
> things up at parse time but that's a different matter ;-)
> I'm not sure anyone can be using tokens in their current state so I
> suggest repoze.who always treats tokens as a list of strings to match
> Paste. I'm happy to send a patch for that but wanted to check you
> agreed with the reasoning first.
> - Matt
> Repoze-dev mailing list
Agendaless Consulting, Fredericksburg VA
The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book
Repoze-dev mailing list