Can you validate this code then (assume for now that password is
cleartext in the DB)?
@tg.expose()
def login(self, username, password):
result = 'ok'
user=User.get_by(user_name=username)
if(user):
if(user.password == password):
identity.set_current_identity(user)
else:
result = 'invalid login'
else:
result = "invalid login"
return result
On Feb 22, 5:57 am, "Patrick Lewis" <[EMAIL PROTECTED]> wrote:
> On Feb 21, 7:25 pm, "Jesse James" <[EMAIL PROTECTED]> wrote:
>
>
>
> > Howdy,
> > I am using SqlAlchemy under TG and Flash (with FlexBuilder 2) for the
> > UI.
> > I'm trying to figure out how to get login/logout and @require
> > decorator to work for me.
> > I am not walking down the garden path of using Kid and SqlObject so it
> > is not really set up right out of the box. Rather I am attempting to
> > leverage the auth framework in TG but with different needs from the
> > standard template-based app - I need much more explicit rejection of
> > unauthorized access attempts (not redirects to a login screen). Upon
> > login, however, it seems that it should be quite straightforward to
> > setup theidentity, yes?
>
> > What I need to know is the following:
>
> > 1. how do I write my own login controller that will explicitly set the
> >identityfor any future requests.
> > 2. how do I logout.
>
> In general terms, whatidentityis doing is associating a 'visit'
> session (everyone visiting the site gets a unique visit key) with a
> user. This starts out in the visit module (http://tinyurl.com/
> 376wae). Roughly, this works like:
>
> -Identityreceives a new request, and eventually routes it to
> identity_from_request
> - identity_from_request tries to authenticate via the methods you
> specified in the config (default to form,http_auth,visit). form and
> http_auth basically check for credentials in the request, and the
> visit check (via identity_from_visit) asks theidentityprovider to
> return a user
> - if all the authentication methods fail, theidentityis set to
> anonymous
>
> Ok, that's the authentication path. Now, when a user doesn't have
> appropriate permissions, (i.e. theidentity.require check fails), an
> IdentityFailure exception is raised, which brings up the login form
> (http://tinyurl.com/2j3ecm).
>
> Logging out is done by removing the association between the user and
> the visit key. This happens in SqlObjectIdentity or SqlAlchemyIdentity
> via the logout() method. Or, in a controller, by
> callingidentity.current.logout()
>
> Ok, so, where does that leave you. I'm not sure, so you may want to
> ask more questions. Some things to think about.
>
> If you setidentityconfig options like:
>
> identity.failure_url="/my_failure_url"identity.source="visit"
>
> You would get rid of the redirect to the login form. my_failure_url
> could be a controller that raises an Unauthorized exception, or
> perhaps shows an error page. You could then setup your own login form
> and controller that explicitly associated the user with the visit key,
> usingidentity.current_provider.validate_identity, and bypassidentity'sdefault
> form login altogether. The caveat is that the only
> way to authenticate will be through your new login form, but it sounds
> like that is what you want anyways.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
