Not sure it required to check if next var is empty or not... If there is no
next in the url it should log in...:
if self.is_logged_in():
if self.get_vars_next() is not None and self.get_vars_next() !=
'':
redirect(self.get_vars_next())
else:
redirect('default', 'index')
So, maybe this could be rewrite like so :
if self.get_vars_next() is not None and self.get_vars_next() != '' and
self.is_logged_in():
redirect(self.get_vars_next())
Richard
Le mercredi 19 août 2015 14:17:41 UTC-4, Richard a écrit :
>
> I had this here and it works... Though, it needs to check if _next var is
> populated, if not redirect on default/index maybe...
>
> What do you think... I am not well versed in security could this create a
> security hole?
>
> def login(
> self,
> next=DEFAULT,
> onvalidation=DEFAULT,
> onaccept=DEFAULT,
> log=DEFAULT,
> ):
> """
> returns a login form
>
> method: Auth.login([next=DEFAULT [, onvalidation=DEFAULT
> [, onaccept=DEFAULT [, log=DEFAULT]]]])
>
> """
> *if self.is_logged_in():*
> * redirect(self.get_vars_next())*
>
> table_user = self.table_user()
> settings = self.settings
>
>
>
>
>
>
> Le mercredi 19 août 2015 14:01:40 UTC-4, Richard a écrit :
>>
>> Nop it only cas_login related...
>>
>> On Wed, Aug 19, 2015 at 2:00 PM, Richard Vézina <
>> [email protected]> wrote:
>>
>>> Is the function that perform the check is : allow_access()??
>>>
>>> On Wed, Aug 19, 2015 at 1:59 PM, Richard Vézina <
>>> [email protected]> wrote:
>>>
>>>> Exactly, I was reading the code figure where the credentials check is
>>>> perform...
>>>>
>>>> I will try to make a PR, if I can find the right place... I will send
>>>> here before what I come up with if you want to review...
>>>>
>>>> Richard
>>>>
>>>> On Wed, Aug 19, 2015 at 1:54 PM, Anthony <[email protected]> wrote:
>>>>
>>>>> On Wednesday, August 19, 2015 at 1:20:49 PM UTC-4, Richard wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I often, fall on this annoying issue... I alway leaves multiple tabs
>>>>>> all accessing my app open... When the browser get restart, all this tabs
>>>>>> get redirected to "user/login?_next=..." URL when I have been logged out
>>>>>> from the system... I found it unpleasant that, if I log in in one of the
>>>>>> tab, I can't just refresh the other tabs... Reload the page still
>>>>>> require
>>>>>> me to input my credentials again or that I remove the
>>>>>> "user/login?_next="
>>>>>> from the URL to avoid log in even if I am logged in...
>>>>>>
>>>>>> I don't know if we could implement something that would make some
>>>>>> redirection to the next URL component on page reload and how this could
>>>>>> cause overhead of doing so... But it could make this repetitive task a
>>>>>> memory if it could be implement easilly...
>>>>>>
>>>>>
>>>>> Maybe early in the Auth.login method, there could be a check to see if
>>>>> the user is already logged in (i.e., check for the existence of
>>>>> self.user)
>>>>> and if there is a _next URL -- in that case, there could just be an
>>>>> immediate redirect to the _next URL without bothering with the login.
>>>>> That
>>>>> way, if you re-login in one tab and then hit refresh in another tab, the
>>>>> other tab will return to its original page.
>>>>>
>>>>> Anthony
>>>>>
>>>>>
>>>>>>
>>>>>> Richard
>>>>>>
>>>>> --
>>>>> Resources:
>>>>> - http://web2py.com
>>>>> - http://web2py.com/book (Documentation)
>>>>> - http://github.com/web2py/web2py (Source code)
>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "web2py-users" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>>
>>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
