On Jul 12, 2009, at 10:00 AM, mdipierro wrote:
>
> correct on both accounts. I will get this fixed in the code and the
> manual. Thanks.
I'm not familiar enough with the DAL to know if this makes complete
sense, but might it be reasonable for Auth.define_tables to add
required fields and validations to the user table (and perhaps other
tables) if they're missing?
That would have at least three benefits: a developer wouldn't have as
much to do when extending the table(s); it would ensure that the
security-related validations are in place; and it would effectively
migrate existing tables the next time web2py is updated and run.
define_tables might end up looking like this:
if (no user table)
define a user table
if (no required-field x)
define required-field x
if (no required-field y)
define required-field y
if (field y doesn't have validation v)
add validation v to field y
etc...
Perhaps there's an easier way, but you get the idea.
>
> Massimo
>
> On Jul 12, 11:44 am, Jonathan Lundell <[email protected]> wrote:
>> In Auth.define_tables we define the user table thus:
>>
>> if not self.settings.table_user:
>> passfield = self.settings.password_field
>> self.settings.table_user = db.define_table(
>> self.settings.table_user_name,
>> db.Field('first_name', length=128, default=''),
>> db.Field('last_name', length=128, default=''),
>> # db.Field('username', length=128, default=''),
>> db.Field('email', length=128, default=''),
>> db.Field(passfield, 'password', readable=False,
>> label='Password'),
>> db.Field('registration_key', length=128,
>> writable=False, readable=False,
>> default=''),
>>
>> migrate=self.__get_migrate(self.settings.table_user_name, migrate))
>> table = self.settings.table_user
>> table.first_name.requires =
>> IS_NOT_EMPTY(error_message=self.messages.is_empty)
>> table.last_name.requires =
>> IS_NOT_EMPTY(error_message=self.messages.is_empty)
>> table[passfield].requires = [CRYPT()]
>> table.email.requires =
>> [IS_EMAIL(error_message=self.messages.invalid_email),
>> IS_NOT_IN_DB(db, '%s.email'
>> %
>> self.settings.table_user._tablename)]
>> table.registration_key.default = ''
>>
>> In Auth.register, we have the following auto-login sequence; there's
>> similar logic in Auth.login, but it's clearer here:
>>
>> else:
>> user[form.vars.id] = dict(registration_key='')
>> session.flash =
>> self.messages.registration_successful
>> table_user = self.settings.table_user
>> if 'username' in table_user.fields:
>> username = 'username'
>> else:
>> username = 'email'
>> users = self.db(table_user[username] ==
>> form.vars[username])\
>> .select()
>> user = users[0]
>> user = Storage(table_user._filter_fields(user,
>> id=True))
>> session.auth = Storage(user=user,
>> last_visit=request.now,
>>
>> expiration=self.settings.expiration)
>> self.user = user
>> session.flash = self.messages.logged_in
>>
>> Finally, the manual "Customizing auth_user" says, 'If you add a field
>> called "username", it will be used in place of the "email" for
>> login.'
>> We see the username/email logic in Auth.register.
>>
>> The problem is that the username field needs (like email) to be
>> IS_NOT_EMPTY and IS_NOT_IN_DB, or the obvious bad thing can happen.
>>
>> Is it enough to mention the need for the validations (maybe a
>> complete
>> sample line) in the manual?
>>
>> Finally, shouldn't both email and username require unique=True?
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
