Hello, I'm currently migrating an application from repoze.who 1.0.18 to repoze.who 2.0, trying to change some quirks which have been accumulated over the months. We have some custom code to satisfy our requirements, but there are badly formulated IMO and I would like to take more advantages of built-in plugins of repoze.who, instead of trying to work too much around.
So, here are a few questions I'm asking while configuring all the stuffs together. 1) `IIdentifier.identity()` says: If the identity can be ‘preauthenticated’ [...], the plugin should set the userid in the special ‘repoze.who.userid’ key; no authenticators will be asked to authenticate the identity thereafer. http://docs.repoze.org/who/2.0/api.html#repoze.who.interfaces.IIdentifier.identify I tried to make it works using the auth_tkt plugin (which doesn't do that by defaut, weirdly), and it seems it doesn't work. Looking at the code (`API.authenticate()`), I can't figuring out where this would happen anyway. Am I missing something? 2) Next, I have a question about plugins' ordering: I have several authenticators (the auth_tkt one, a SQL-based one, and a custom one, configured in this order). We have to deal with a case in our application where, if an user is *already* authenticated with user X (by auth_tkt) and submit the login with another valid login/password which returns user Y from the SQL plugin, then repoze.who keeps the authenticated user ID to X (whereas Y would have been nice). It seems repoze.who does some weighting in case of several results during ̀ API.authenticate()`, but I'm wondering: a. It does weighting by increasing identifier_rank and auth_rank and then .sort() the result, but the first result, sorted or not, will always be the best pick. Why sorting, why actually continuing to query the rest of the plugins once it finds one result? (I'm speaking about this https://github.com/repoze/repoze.who/blob/master/repoze/who/api.py#L133 and this https://github.com/repoze/repoze.who/blob/master/repoze/who/api.py#L336) b. Is the configuration order of the authenticator plugins the way to deal with this ordering issue? If so, I suppose placing my SQL plugin in front of all the other plugins should fix my problem, am I right? 3) Finally, one last question. Our application is currently raising 401 if the user tries to access pages he doesn't have the right to see. In this case, we would like to redirect the user to the form login, telling him that if he wants to access those pages, he should re-authenticate with another user which has the rights to do so, but *without logging out* the user (that's the trick). I was considering using the `redirector.Redirect` to do this, but unfortunately, it also forgets the user. I'm considering wrapping the Redirect plugin into an object of mine implementing IChallenger, which would pass the arguments of .challenge() to Redirect, removing the forget_headers argument in the meanwhile. Is there a better way to achieve the same? _______________________________________________ Repoze-dev mailing list Repozeemail@example.com http://lists.repoze.org/listinfo/repoze-dev