Hello, everybody. I'm working on a solution for the following AuthTktCookiePlugin-specific problem: When the user account is deleted while the user is logged in, she will continue authenticated until her session cookie expires.
I think AuthTktCookiePlugin.__init__ should receive an optional callable which will check that the user account for the userid found in the session cookie still exists. Attached in a patch which implements this enhancement in repoze.who. Comments? Cheers! -- Gustavo Narea <http://gustavonarea.net/>. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/
Index: repoze/who/plugins/auth_tkt.py =================================================================== --- repoze/who/plugins/auth_tkt.py (revision 3743) +++ repoze/who/plugins/auth_tkt.py (working copy) @@ -24,11 +24,12 @@ } def __init__(self, secret, cookie_name='auth_tkt', - secure=False, include_ip=False): + secure=False, include_ip=False, account_checker=None): self.secret = secret self.cookie_name = cookie_name self.include_ip = include_ip self.secure = secure + self.account_checker = account_checker # IIdentifier def identify(self, environ): @@ -57,6 +58,9 @@ decoder = self.userid_type_decoders.get(userid_type) if decoder: userid = decoder(userid) + + if self.account_checker and not self.account_checker(userid): + return None if environ.get('REMOTE_USER_TOKENS'): # We want to add tokens/roles to what's there: Index: repoze/who/tests.py =================================================================== --- repoze/who/tests.py (revision 3743) +++ repoze/who/tests.py (working copy) @@ -1609,6 +1609,32 @@ result = plugin.identify(environ) self.assertEqual(result, None) + def test_identify_with_checker_and_existing_account(self): + plugin = self._makeOne('secret', account_checker=dummy_account_checker) + val = self._makeTicket(userid='foo') + environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=%s' % val}) + result = plugin.identify(environ) + self.assertEqual(len(result), 4) + self.assertEqual(result['tokens'], ['']) + self.assertEqual(result['repoze.who.userid'], 'foo') + self.assertEqual(result['userdata'], 'userdata') + self.failUnless('timestamp' in result) + self.assertEqual(environ['REMOTE_USER_TOKENS'], ['']) + self.assertEqual(environ['REMOTE_USER_DATA'],'userdata') + self.assertEqual(environ['AUTH_TYPE'],'cookie') + + def test_identify_with_checker_and_non_existing_account(self): + plugin = self._makeOne('secret', account_checker=dummy_account_checker) + val = self._makeTicket(userid='bar') + environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=%s' % val}) + original_environ = environ.copy() + result = plugin.identify(environ) + self.assertEqual(result, None) + # The environ must not have been modified, excuding the paste.cookies + # variable: + del environ['paste.cookies'] + self.assertEqual(environ, original_environ) + def test_remember_creds_same(self): plugin = self._makeOne('secret') val = self._makeTicket(userid='userid') @@ -2730,6 +2756,11 @@ def make_dummy_connfactory(**kw): return DummyConnFactory + +def dummy_account_checker(userid): + return userid == 'foo' + + def encode_multipart_formdata(fields): BOUNDARY = '----------ThIs_Is_tHe_bouNdaRY_$' CRLF = '\r\n'
_______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev