Chris - I think this is exactly what I'm looking for. And this is
meant to come from a specific IP. I had some clumsy code checking
that out. The require decorator is a bonus for me :-)
I'll try this out tonite.
Thanks all for helping me out.
kv.Bjarni
2008/10/1 Christopher Arndt <[EMAIL PROTECTED]>:
>
> Uwe C. Schroeder schrieb:
>> On Tuesday 30 September 2008, Bjarni Ragnarsson wrote:
>>> I really need to be able to authenticate users directly in code
>>> knowing only the user name. That is, password is unknown. The user
>>> is authenticated outside the web.
>>>
>>> How can this be accomplished (without hacking TG code)?
>>> I have TG 1.0b.
>>
>> Something like this might help. I assume you generate a URL for your users.
>> Here is my code that works just fine. It's used for emails (newsletter) sent
>> out to users and
>> I put a URL in it so the user can log in without typing a password.
>> So when generating the mail, I create a key which I store in the database
>> along with the user's name
>> The code below is what happens when the user clicks on the provided link:
>>
>> def signup_mail(self,*args,**kw):
>> if identity.current.anonymous:
>> # log him in
>> rec=PendingSignup.get(kw.get('vkey',None))
>> if not rec:
>> raise redirect('/signup_mail_failed')
>> user=User.get(rec.uid)
>> if not user:
>> raise redirect('/signup_mail_failed')
>> i=identity.current_provider.validate_identity(user.user_name,
>>
>> user.password,
>>
>> identity.current.visit_key)
>> identity.set_current_identity(i)
>>
>> At this point the user is logged in.
>
> Nice recipe. Of course it requires that the user has a password (any
> will do) set in the database.
>
> If you want to log in a user unconditionally, you can use the recipe on
> the following wiki page (which I just updated with some changes I wanted
> to put there for a long time now):
>
> http://docs.turbogears.org/1.0/IdentityRecipes#log-in-a-user-object-manually
>
> You could then load the user in a controller object like this:
>
> @expose
> def login(self, user):
> user = User.by_user_name(user)
> if user:
> login_user(user)
> redirect('/startpage')
> flash('User not found')
> redirect('/')
>
>
> Of course this is VERY INSECURE and basically not much better than
> having no authentication, since now the shared secret between the server
> and the user is the username, which is usually much easier to guess than
> a password! If this is only used inside an intranet, that might be ok,
> but then you should put additional checks in place, e.g. that logging in
> this way is only permitted if the client comes from a certain IP
> (range). This can be accomplished with a
> '@identity.require(identity.from_host(...)' host decorator, for example.
>
> Chris
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
