[pylons-devel] Bugs in SessionAuthenticationPolicy

2014-08-06 Thread Karl O. Pinc 
Hi,

I'm using pyramid 1.5.1 and in trying to figure
out SessionAuthenticationPolicy I found problems.
I looked at HEAD (I think) on github and problems
seem to exist there too.

unauthenticated_userid is not documented.


The callback function is never called.  The
debug output is:

2014-08-06 02:59:43,213 DEBUG [testlogin][Dummy-3] 
pyramid.authentication.SessionAuthenticationPolicy.effective_principals:
unauthenticated_userid returned None; returning ['system.Everyone']

The problem is that SessionAuthenticationPolicy
is counting on having a prefix + 'userid'
session key in request.session.  However there's 
no documentation on this and so the key does not exist.

One possible approach is to supply an identity
keyword argument in a fashion similar to that
in ReposeWho1AuthenticationPolicy so the
user knows what key is supposed to exist.
(This seems heavy-handed.)

I'm not really thinking things through at
the moment but it seems to me that there
needs to be some sort of documentaion,
if not an interface, for setting the value
behind 
SessionAuthenticationPolicy.(un)authenticated_userid.
Or something.

As it is SessionAuthenticationPolicy is
impossible to use without snooping through
the source.

Sorry to run-on.  I've been working at
this for a while and my brain is full.

Meanwhile, if I simply set 
request.session[prefix + 'userid']
in my app will I be reasonably
future-proof?  (I've not actually tried this
to see if it works.)

Thanks.

Karl k...@meme.com
Free Software:  You don't pay back, you pay forward.
 -- Robert A. Heinlein

-- 
You received this message because you are subscribed to the Google Groups 
pylons-devel group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-devel+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-devel@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-devel.
For more options, visit https://groups.google.com/d/optout.

Re: [pylons-devel] Bugs in SessionAuthenticationPolicy

2014-08-06 Thread Michael Merickel 
It sounds like you are not using the
`pyramid.security.remember(request, userid)` API to store the user in
the session. If you would like to store the userid directly you may but
you are circumventing the pyramid authentication APIs. As far as the
authenticated_userid, this will invoke your callback, but only if a
userid is found in the session in the first place (otherwise no one is
logged in and it short-circuits). unauthenticated_userid will return
the id directly found in the session and is mainly there as a hop
between the raw session and your callback.

On Tue, Aug 5, 2014 at 11:34 PM, Karl O. Pinc k...@meme.com wrote:
 Hi,

 I'm using pyramid 1.5.1 and in trying to figure
 out SessionAuthenticationPolicy I found problems.
 I looked at HEAD (I think) on github and problems
 seem to exist there too.

 unauthenticated_userid is not documented.


 The callback function is never called.  The
 debug output is:

 2014-08-06 02:59:43,213 DEBUG [testlogin][Dummy-3]
 pyramid.authentication.SessionAuthenticationPolicy.effective_principals:
 unauthenticated_userid returned None; returning ['system.Everyone']

 The problem is that SessionAuthenticationPolicy
 is counting on having a prefix + 'userid'
 session key in request.session.  However there's
 no documentation on this and so the key does not exist.

 One possible approach is to supply an identity
 keyword argument in a fashion similar to that
 in ReposeWho1AuthenticationPolicy so the
 user knows what key is supposed to exist.
 (This seems heavy-handed.)

 I'm not really thinking things through at
 the moment but it seems to me that there
 needs to be some sort of documentaion,
 if not an interface, for setting the value
 behind
 SessionAuthenticationPolicy.(un)authenticated_userid.
 Or something.

 As it is SessionAuthenticationPolicy is
 impossible to use without snooping through
 the source.

 Sorry to run-on.  I've been working at
 this for a while and my brain is full.

 Meanwhile, if I simply set
 request.session[prefix + 'userid']
 in my app will I be reasonably
 future-proof?  (I've not actually tried this
 to see if it works.)

 Thanks.

 Karl k...@meme.com
 Free Software:  You don't pay back, you pay forward.
  -- Robert A. Heinlein

 --
 You received this message because you are subscribed to the Google Groups 
 pylons-devel group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to pylons-devel+unsubscr...@googlegroups.com.
 To post to this group, send email to pylons-devel@googlegroups.com.
 Visit this group at http://groups.google.com/group/pylons-devel.
 For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
pylons-devel group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-devel+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-devel@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-devel.
For more options, visit https://groups.google.com/d/optout.

Re: [pylons-devel] Bugs in SessionAuthenticationPolicy

2014-08-06 Thread Karl O. Pinc 
On 08/06/2014 10:16:18 AM, Michael Merickel wrote:
 It sounds like you are not using the
 `pyramid.security.remember(request, userid)` API to store the user in
 the session. 

No, I'm not.  The need for this is not mentioned anywhere in
the (1.5.1) security chapter.

Thanks for the help.




Karl k...@meme.com
Free Software:  You don't pay back, you pay forward.
 -- Robert A. Heinlein

-- 
You received this message because you are subscribed to the Google Groups 
pylons-devel group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-devel+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-devel@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-devel.
For more options, visit https://groups.google.com/d/optout.