Diez B. Roggisch schrieb: > On Wednesday 15 October 2008 15:36:58 Christopher Arndt wrote: > I think you could make that page of the application not part of the > authenticated parts of the app. Then after successfully changing the > password, authenticate the user "by hand" in the form-handler and redirect.
Ok, this means that I would pass the user_id as a hidden field, when forwarding to the password update form and then the user would have to enter his old password again to make sure he is the right user. > Another approach might be to alter the groups of a user via a property that > looks up the "real" groups, or if pwd is expired returns a single group that > only grants one permission to the change-your-password-page. > > THis would rule out using "not_anonymous" for other app-parts of course. You > might instead use a custom predicate, "not_expired" that combines > not_anonymous and not_expired. That would mean that I would have to change a lot of identity.require decorators, which I'd rather not, i I can avoid it. Thanks for the suggestions! Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
