Hello, everybody.
I'm working on a solution for the following AuthTktCookiePlugin-specific
problem:
When the user account is deleted while the user is logged in, she will
continue authenticated until her session cookie expires.
I think AuthTktCookiePlugin.__init__ should receive an optional callable which
will check that the user account for the userid found in the session cookie
still exists.
Attached in a patch which implements this enhancement in repoze.who.
Comments?
Cheers!
--
Gustavo Narea <http://gustavonarea.net/>.
Get rid of unethical constraints! Get freedomware:
http://www.getgnulinux.org/
Index: repoze/who/plugins/auth_tkt.py
===================================================================
--- repoze/who/plugins/auth_tkt.py (revision 3743)
+++ repoze/who/plugins/auth_tkt.py (working copy)
@@ -24,11 +24,12 @@
}
def __init__(self, secret, cookie_name='auth_tkt',
- secure=False, include_ip=False):
+ secure=False, include_ip=False, account_checker=None):
self.secret = secret
self.cookie_name = cookie_name
self.include_ip = include_ip
self.secure = secure
+ self.account_checker = account_checker
# IIdentifier
def identify(self, environ):
@@ -57,6 +58,9 @@
decoder = self.userid_type_decoders.get(userid_type)
if decoder:
userid = decoder(userid)
+
+ if self.account_checker and not self.account_checker(userid):
+ return None
if environ.get('REMOTE_USER_TOKENS'):
# We want to add tokens/roles to what's there:
Index: repoze/who/tests.py
===================================================================
--- repoze/who/tests.py (revision 3743)
+++ repoze/who/tests.py (working copy)
@@ -1609,6 +1609,32 @@
result = plugin.identify(environ)
self.assertEqual(result, None)
+ def test_identify_with_checker_and_existing_account(self):
+ plugin = self._makeOne('secret', account_checker=dummy_account_checker)
+ val = self._makeTicket(userid='foo')
+ environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=%s' % val})
+ result = plugin.identify(environ)
+ self.assertEqual(len(result), 4)
+ self.assertEqual(result['tokens'], [''])
+ self.assertEqual(result['repoze.who.userid'], 'foo')
+ self.assertEqual(result['userdata'], 'userdata')
+ self.failUnless('timestamp' in result)
+ self.assertEqual(environ['REMOTE_USER_TOKENS'], [''])
+ self.assertEqual(environ['REMOTE_USER_DATA'],'userdata')
+ self.assertEqual(environ['AUTH_TYPE'],'cookie')
+
+ def test_identify_with_checker_and_non_existing_account(self):
+ plugin = self._makeOne('secret', account_checker=dummy_account_checker)
+ val = self._makeTicket(userid='bar')
+ environ = self._makeEnviron({'HTTP_COOKIE':'auth_tkt=%s' % val})
+ original_environ = environ.copy()
+ result = plugin.identify(environ)
+ self.assertEqual(result, None)
+ # The environ must not have been modified, excuding the paste.cookies
+ # variable:
+ del environ['paste.cookies']
+ self.assertEqual(environ, original_environ)
+
def test_remember_creds_same(self):
plugin = self._makeOne('secret')
val = self._makeTicket(userid='userid')
@@ -2730,6 +2756,11 @@
def make_dummy_connfactory(**kw):
return DummyConnFactory
+
+def dummy_account_checker(userid):
+ return userid == 'foo'
+
+
def encode_multipart_formdata(fields):
BOUNDARY = '----------ThIs_Is_tHe_bouNdaRY_$'
CRLF = '\r\n'
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
