On Wednesday February 18, 2009 16:20:16 cd34 wrote:
> Just so I'm clear, if you have to protect the RootController, you have
> to put @require on each of the root controller paths that needs to be
> protected, then protect each subcontroller individually?
>
> So the TurboGears development team suggests the following code
> structure:
>
> <snip>
>
> and then in each of the sub controllers, I can then protect it with:
>
> allow_only = in_group('manage')When did any of us suggested such thing? > which seems quite a bit more complex than including the above line > once. > > Which of the plugins from here: > > http://static.repoze.org/whodocs/narr.html#module-repoze.who.plugins.sql > > should I be using where I can specify the allow_only on the root > controller and have the entire application protected? I already said that if you do want to protect the whole application and don't want the simple and clear workaround I suggested, then you can use *any* repoze.who challenger, except those based on the RedirectingFormPlugin. > Are there other frameworks that put the login page behind an AAA > method? You don't seem to understand what is going on: repoze.who is a WSGI middleware for authentication, used by default in TG2 applications. Because of the way TG2 configures authentication by default, for the user to be authenticated, one of the application's controller actions must be called. So, when authorization is denied and the user is anonymous, repoze.who middleware catches the authorization denial exception and redirects the user to the login form... But if you protected the login form too, there's no way that the user will be able to log in. *But*, if you use a different repoze.who challenger, when authorization is denied and the user is anonymous, the repoze.who middleware catches the authorization denial exception and the middleware *itself* renders the login form (or an HTTP authentication prompt) -- without ever reaching the WSGI application, so it doesn't matter if it's totally protected. Cheers. -- Gustavo Narea <http://gustavonarea.net/>. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
