Is there ever a situation when a login method needs to be behind an
authenticated area? Perhaps if a user logs in as an editor, then
needs to log in as a manager, perhaps you would have that double
authorization request. From what I see, repoze actually would replace
the current credentials with the new privileges and starting a new
auth session rather than adding the extra group membership.
The login page should clear any existing credentials and prompt the
user for login information and shouldn't be password protected.
Otherwise you have to decorate every method in your RootController
with:
@require(predicates.has_permission('manage', msg=_('Only for
managers')))
except for the login and logout?
So, if someone needs to protect an application, they protect the
subcontrollers with one method, and the defined pages in the root
controller a separate way?
perhaps something like:
allowed_request_url = ['/login', '/login_handler', '/
post_login_handler', '/logout', '/post_logout_handler']
if pylons.request.path in allowed_request_url:
return True
or a proper fix.
The current implementation seems to stray from the DRY method.
On Feb 17, 7:17 pm, Gustavo Narea <[email protected]> wrote:
> That's right, you can only secure subcontrollers, not the whole root
> controller.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears Trunk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-trunk?hl=en
-~----------~----~----~----~------~----~------~--~---
