I've was just giving a try to the IdentityManagement tutorial in Wiki (http://trac.turbogears.org/turbogears/wiki/IdentityManagement)
Great... but a small glitch makes it somehow not very usable out of the box: The login method of the controller performs a check against the identity_exception attribute... which doesn't exist anymore, having been replaced by identity_errors (same purpose) => patch: -- if hasattr(cherrypy.request,"identity_exception"): -- msg= str(cherrypy.request.identity_exception) ++ if hasattr(cherrypy.request,"identity_errors"): ++ msg= str(cherrypy.request.identity_errors) Now one correctly gets "['Not member of group: admin']" error message. Please someone with write access: update Wiki page. Anyone knows how to enforce use of a Digest Authentication (RFC2617) ? The tutorial uses a cookie. 2 small remarks on IdentityManagement: 1. On the security point of view: May be a general on/off settings to turn off detailed information would be good: some people/organizations do not like information leaking (there is a group named 'admin') in login errors: just "Login failed", "Access denied" or "autorization required" would be sufficient (BTW text for error message in the config file too) 2. On the usability point of view: There are 2 different situations: a) no login info => must be replied with a simple "Please login" type of message b) incorrect login info => see remark 1 above Anyway this is a brilliant piece of code (missing an admin GUI Wiki though :-/ ), with ueber-cool decorators... THX Jeff Watkin's !
signature.asc
Description: OpenPGP digital signature
