I'm currently migrating an application from repoze.who 1.0.18 to
repoze.who 2.0, trying to change some quirks which have been accumulated
over the months.
We have some custom code to satisfy our requirements, but there are
badly formulated IMO and I would like to take more advantages of
built-in plugins of repoze.who, instead of trying to work too much
So, here are a few questions I'm asking while configuring all the stuffs
1) `IIdentifier.identity()` says:
If the identity can be ‘preauthenticated’ [...], the plugin should
set the userid in the special ‘repoze.who.userid’ key; no
authenticators will be asked to authenticate the identity thereafer.
I tried to make it works using the auth_tkt plugin (which doesn't do
that by defaut, weirdly), and it seems it doesn't work. Looking at the
code (`API.authenticate()`), I can't figuring out where this would
happen anyway. Am I missing something?
2) Next, I have a question about plugins' ordering: I have several
authenticators (the auth_tkt one, a SQL-based one, and a custom one,
configured in this order).
We have to deal with a case in our application where, if an user is
*already* authenticated with user X (by auth_tkt) and submit the login
with another valid login/password which returns user Y from the SQL
plugin, then repoze.who keeps the authenticated user ID to X (whereas Y
would have been nice).
It seems repoze.who does some weighting in case of several results
during ̀ API.authenticate()`, but I'm wondering:
a. It does weighting by increasing identifier_rank and auth_rank and
then .sort() the result, but the first result, sorted or not, will
always be the best pick. Why sorting, why actually continuing to query
the rest of the plugins once it finds one result? (I'm speaking about
b. Is the configuration order of the authenticator plugins the way to
deal with this ordering issue? If so, I suppose placing my SQL plugin in
front of all the other plugins should fix my problem, am I right?
3) Finally, one last question. Our application is currently raising 401 if
the user tries to access pages he doesn't have the right to see. In this
case, we would like to redirect the user to the form login, telling him
that if he wants to access those pages, he should re-authenticate with
another user which has the rights to do so, but *without logging out*
the user (that's the trick).
I was considering using the `redirector.Redirect` to do this, but
unfortunately, it also forgets the user. I'm considering wrapping the
Redirect plugin into an object of mine implementing IChallenger, which
would pass the arguments of .challenge() to Redirect, removing the
forget_headers argument in the meanwhile. Is there a better way to
achieve the same?
Repoze-dev mailing list