On Oct 1, 11:04 am, Dmitri Zagidulin <[email protected]> wrote:
> Ahh, ok! Makes sense now.
> I think I misunderstood the tutorial, and thought that you have to add
> form=auth() to the return dict of every function that's auth-
> protected, not just to user().
>
> Thanks again for your help! It works now.
>
> Quick question, though, about the vars being dropped -- what if I have
> parameters in a link to a protected page that I do need carried
> forward through the login redirection?
> Say I have a report with name-value parameters, like:
> myreport?arg1=value1&arg2=value2,
>
> and myreport is auth-protected. And a user runs the report, lets his
> session time out (or copies and pastes the url and uses it on another
> computer), and tries to run that report again? The user would need to
> log in again, and would lose the parameters in vars?
yes
> I understand that request.vars are necessary to handle the login form
> after redirection, but shouldn't there be some way to preserve the
> vars pre-login, and still handle the login form correctly?
I think when the redirection occurs the complete original URL
(r=reuquest.args=request.args,vars=request.vars) should be b16encoded
and stored in _next so that, after login, one can redirect to the
proper URL.
I would take a patch to do it.
> On Oct 1, 11:39 am, mdipierro <[email protected]> wrote:
>
> > That is not the problem but now I understand the problem
> > Consider this:
>
> > def test1(): return dict(vars=BEAUTIFY(request.vars))
>
> > @auth.requires_login()
> > def test2(): return dict(vars=BEAUTIFY(request.vars))
>
> > @auth.requires_login()
> > def test3():
> > response.flash = str(request.vars)
> > return dict(form=auth())
>
> > The login and try:http://..../test1?hello=world
> > workshttp://..../test2?hello=world workshttp://..../test3?hello=world (*)
>
> > (*) does not do what you expect because you call auth() inside a
> > function that requires_login. auth() overrides the login because
> > thinks it is its jobs to check login and performs a redirection. The
> > request.vars are not carried forward with redirection and that is
> > according to the specs, since request.vars are necessary to handle the
> > login form after redirection.
>
> > The issue is you should not call auth() inside a function that
> > requires_login because they conflict. Perhaps if you explain us what
> > you are trying to accomplish we can be more helpful.
>
> > Massimo
>
> > On Oct 1, 10:20 am, Dmitri Zagidulin <[email protected]> wrote:
>
> > > Aha! I'm glad you said this.
>
> > > I tried out your tests above, and they did indeed work.
>
> > > The difference between those and my function in the initial post that
> > > did not work is that test1 returns a string directly, and the test
> > > index() above returns a dictionary, like in the auth tutorial:
> > > @auth.requires_login()
> > > def index():
> > > """
> > > Login-protected index page
> > > """
> > > response.flash = str(request.vars)
> > > return dict(form=auth())
>
> > > When you pass an arg to an auth-protected function that returns dict
> > > (form=auth()), that arg results in a 404. (And the vars just get
> > > dropped).
> > > But if I don't return form=auth(), then the function is not actually
> > > auth-protected, and does not prompt for login, etc.
>
> > > So, can you try that?
>
> > > On Sep 30, 5:57 pm, mdipierro <[email protected]> wrote:
>
> > > > Sorry, I did not mean to say I do not believe you.
> > > > I meant to say that either I do not understand the question or
> > > > something else is going on in your code.
>
> > > > I just did the following test:
>
> > > > a new app
>
> > > > def test1: return repr(dict(request.vars))
>
> > > > @auth.requires_login()
> > > > def test2: return repr(dict(request.vars))
>
> > > > and then logged in and
> > > > visitedhttp://..../test1?hello=worldhttp://..../test2?hello=world
>
> > > > They both show
>
> > > > {'hello': 'world'}
>
> > > > If this does not work for you then there is a major problem but it is
> > > > not in auth.requires_login(). Please tell us more about the OS, the
> > > > Python version.
>
> > > > Massimo
>
> > > > On Sep 30, 2:55 pm, Dmitri Zagidulin <[email protected]> wrote:
>
> > > > > Then how do I account for the fact that (while being logged in) if I
> > > > > remove the requires_login() decorator, I can access the vars inside
> > > > > the function,
> > > > > but if I put back the decorator, I cannot see the vars? And, similarly
> > > > > - if I don't have requires_login, args get loaded into the args
> > > > > dictionary, but if I do have the requires_login, I get a 404 NOT
> > > > > FOUND?
>
> > > > > If you don't believe me, can you at least point me in the right
> > > > > direction (as far as explaining the workflow) -- since I'm not seeing
> > > > > the vars in the logging statement in Augh > requires_login() >
> > > > > decorator() -- where does requires_login get called from? Maybe I can
> > > > > track down where the vars are being lost.
>
> > > > > Any suggestions appreciated.
>
> > > > > On Sep 30, 3:46 pm, mdipierro <[email protected]> wrote:
>
> > > > > > I am sure that is not the case. If you submit vars to a function
> > > > > > that
> > > > > > requires login and you are not login you are redirected to login (in
> > > > > > this case vars are lost, args are not), but if you are logged in the
> > > > > > function works normally and the vars are in request.vars.
>
> > > > > > On Sep 30, 2:28 pm, Dmitri Zagidulin <[email protected]> wrote:
>
> > > > > > > It looks like functions that are decorated with
> > > > > > > auth.requires_login()
> > > > > > > are not receiving their request.vars dictionary from the url.
>
> > > > > > > For example, say I have an auth-protected function in a
> > > > > > > controller:
>
> > > > > > > @auth.requires_login()
> > > > > > > def index():
> > > > > > > """
> > > > > > > Login-protected index page
> > > > > > > """
> > > > > > > response.flash = str(request.vars)
> > > > > > > ...
>
> > > > > > > And then link to it from another page:
> > > > > > > {{=A('My Index', _href=URL(r=request, f='index', vars={'testvar':
> > > > > > > 999}))}}
>
> > > > > > > Assuming that I'm previous logged in, the flash results in an
> > > > > > > empty
> > > > > > > dictionary -- no vars are actually passed in.
> > > > > > > (Now, if I remove the requires_login() decorator, I can see the
> > > > > > > 'testvar' variable just fine).
>
> > > > > > > Looking in gluon/tools.py > Auth > requires_login(), on line
> > > > > > > 1418, I
> > > > > > > noticed that while request.args are being encoded and passed onto
> > > > > > > the
> > > > > > > login url, request.vars are not.
>
> > > > > > > But when I added that in, so that the decorator now encoded and
> > > > > > > passed
> > > > > > > on the vars, restarted the server, etc, the flash was still
> > > > > > > coming up
> > > > > > > empty -- the vars were not being passed on.
>
> > > > > > > I put in a logging statement into the decorator (right around line
> > > > > > > 1416), to see if self.environment.request.vars are at least set
> > > > > > > correctly in the body of the function.
> > > > > > > And they are not -- the 'testvar' variable is not making it into
> > > > > > > the
> > > > > > > decorator at all.
>
> > > > > > > Is this a bug or a feature? And if feature, how do I pass vars
> > > > > > > into
> > > > > > > an
> > > > > > > auth-protected function?
>
> > > > > > > Also, passed-in args are not being handled correctly either.
> > > > > > > For instance, for the index() function above, if I link to it
> > > > > > > like so:
> > > > > > > {{=A('My Index', _href=URL(r=request, f='index',
> > > > > > > args='testarg'))}}
>
> > > > > > > and display the contents of display.args (as a response.flash,
> > > > > > > etc),
> > > > > > > and
> > > > > > > do NOT auth-protect it, the testarg shows up.
> > > > > > > But if I decorate it with requires_login, and click on that same
> > > > > > > link,
> > > > > > > I
> > > > > > > get a
> > > > > > > 404 NOT FOUND
>
> > > > > > > So, it seems like instead of loading 'testarg' into the contents
> > > > > > > of
> > > > > > > args, it tries to parse it as part of post-login routing.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
