I agree On Saturday, 10 October 2015 07:35:50 UTC-5, DenesL wrote: > > > Status 401 is more appropriate since session has expired and the user is > not authenticated. > Ajax or no ajax. > > But we should return 403 when the user is authenticated and the request > authorization fails for a component. > > Do you agree with the following table?. > USER = is authenticated > COMP = current.request.ajax and current.request.cid > RCR = raise or call/redirect > > USER COMP RCR > F F 401/otherwise > F T 401 > T F 403/otherwise > T T 403 > > Denes > > On Friday, October 9, 2015 at 11:26:42 PM UTC-4, Massimo Di Pierro wrote: >> >> Shouldn't we always return 403 is ajax? >> >> On Friday, 9 October 2015 12:22:52 UTC-5, DenesL wrote: >>> >>> Changing >>> if current.request.ajax: >>> raise HTTP(401, self.messages.ajax_failed_authentication) >>> >>> to >>> if current.request.ajax and current.request.cid: >>> raise HTTP(401, self.messages.ajax_failed_authentication) >>> >>> in gluon/tools/Auth class/requires function (line 3749 in release >>> 2.12.03) >>> seems to solve the problem since it verifies it is a component before >>> raising a 401, else it follows the "otherwise" or >>> auth.settings.on_failed_authorization redirect (which I am using). >>> >>> Denes. >>> >>> >>> >>> >>> On Tuesday, October 6, 2015 at 1:50:04 PM UTC-4, DenesL wrote: >>>> >>>> Hi >>>> >>>> an expired session becomes empty but this does not seem to always >>>> trigger auth.requires_login redirection to the login URL neither when set >>>> via auth.requires_login(loginURL), aka the otherwise parameter, nor by >>>> auth.settings.on_failed_authorization = loginURL *when XMLHttpRequest >>>> (XHR) is used.* >>>> Actually the otherwise parameter is superfluous in this case. >>>> >>>> Status 401 UNAUTHORIZED with response >>>> <div class="not-authorized alert alert-block"><h4>NOT >>>> AUTHORIZED</h4>Please <a href="">login</a> to view this content.</div> >>>> but that is never seen since I am using www.idangero.us/framework7 , >>>> which loads all links with Ajax by default, does not refresh the page. >>>> >>>> So this probably happens because the call is being treated as a >>>> component by web2py. >>>> I can get around this by defining the links as external in framework7 >>>> but I wonder if it would not be better to have a way to tell web2py to >>>> redirect when the session has expired even when using Ajax calls. >>>> >>>> Thanks, >>>> Denes >>>> >>>>
-- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
