I'm going to claim ignorance here. I don't use tokens, and to be honest, if I had it to do all over again, I wouldn't expose them in the r.who API at all. auth_tkt has severe featureitis: tokens vs. user_data, and other distinctions that nobody really needs or understands at all.
That said, given that I neither use nor understand their purpose of tokens, I'd be apt to take any patch that made the feature useful to someone. - C On 4/3/10 6:54 PM, Matt Goodall wrote: > Hi, > > I was just experimenting with adding a token to the auth_tkt cookie > but I think the current implementation is incorrect. > > The repoze.who code is trying to handle a string or a list by > converting a list into a comma-separated string before calling paste's > auth_tkt. However, Paste is documented as expecting "a list of > strings". As a result, repoze.who gets it wrong whatever you pass as > tokens: > > * 'foo' is added to the cookie as 'f,o,o'; should be 'foo' > * ['foo'] is added to the cookie as 'f,o,o'; should be 'foo' > * ['foo', 'bar'] is added to the cookie as 'f,o,o,,,b,a,r'; should be > 'foo,bar' > > (Paste also allows a token containing a comma which really screws > things up at parse time but that's a different matter ;-) > > I'm not sure anyone can be using tokens in their current state so I > suggest repoze.who always treats tokens as a list of strings to match > Paste. I'm happy to send a patch for that but wanted to check you > agreed with the reasoning first. > > - Matt > _______________________________________________ > Repoze-dev mailing list > Repozeemail@example.com > http://lists.repoze.org/listinfo/repoze-dev > -- Chris McDonough Agendaless Consulting, Fredericksburg VA The repoze.bfg Web Application Framework Book: http://bfg.repoze.org/book _______________________________________________ Repoze-dev mailing list Repozefirstname.lastname@example.org http://lists.repoze.org/listinfo/repoze-dev