I don't think that will persist outside of the current request (i.e. the user won't stay logged in). How about something like (untested):
http://paste.turbogears.org/paste/1067 On Feb 24, 5:03 pm, "Jesse James" <[EMAIL PROTECTED]> wrote: > Can you validate this code then (assume for now that password is > cleartext in the DB)? > > @tg.expose() > def login(self, username, password): > result = 'ok' > user=User.get_by(user_name=username) > if(user): > if(user.password == password): > identity.set_current_identity(user) > else: > result = 'invalid login' > else: > result = "invalid login" > return result > > On Feb 22, 5:57 am, "Patrick Lewis" <[EMAIL PROTECTED]> wrote: > > > On Feb 21, 7:25 pm, "Jesse James" <[EMAIL PROTECTED]> wrote: > > > > Howdy, > > > I am using SqlAlchemy under TG and Flash (with FlexBuilder 2) for the > > > UI. > > > I'm trying to figure out how to get login/logout and @require > > > decorator to work for me. > > > I am not walking down the garden path of using Kid and SqlObject so it > > > is not really set up right out of the box. Rather I am attempting to > > > leverage the auth framework in TG but with different needs from the > > > standard template-based app - I need much more explicit rejection of > > > unauthorized access attempts (not redirects to a login screen). Upon > > > login, however, it seems that it should be quite straightforward to > > > setup theidentity, yes? > > > > What I need to know is the following: > > > > 1. how do I write my own login controller that will explicitly set the > > >identityfor any future requests. > > > 2. how do I logout. > > > In general terms, whatidentityis doing is associating a 'visit' > > session (everyone visiting the site gets a unique visit key) with a > > user. This starts out in the visit module (http://tinyurl.com/ > > 376wae). Roughly, this works like: > > > -Identityreceives a new request, and eventually routes it to > > identity_from_request > > - identity_from_request tries to authenticate via the methods you > > specified in the config (default to form,http_auth,visit). form and > > http_auth basically check for credentials in the request, and the > > visit check (via identity_from_visit) asks theidentityprovider to > > return a user > > - if all the authentication methods fail, theidentityis set to > > anonymous > > > Ok, that's the authentication path. Now, when a user doesn't have > > appropriate permissions, (i.e. theidentity.require check fails), an > > IdentityFailure exception is raised, which brings up the login form > > (http://tinyurl.com/2j3ecm). > > > Logging out is done by removing the association between the user and > > the visit key. This happens in SqlObjectIdentity or SqlAlchemyIdentity > > via the logout() method. Or, in a controller, by > > callingidentity.current.logout() > > > Ok, so, where does that leave you. I'm not sure, so you may want to > > ask more questions. Some things to think about. > > > If you setidentityconfig options like: > > > identity.failure_url="/my_failure_url"identity.source="visit" > > > You would get rid of the redirect to the login form. my_failure_url > > could be a controller that raises an Unauthorized exception, or > > perhaps shows an error page. You could then setup your own login form > > and controller that explicitly associated the user with the visit key, > > usingidentity.current_provider.validate_identity, and > > bypassidentity'sdefault form login altogether. The caveat is that the only > > way to authenticate will be through your new login form, but it sounds > > like that is what you want anyways. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
