Ok, that's what I am doing also. But check this scenario:
@auth.requires_login()
def admin_area():
...do stuf...
return ....
If a user creates a session by hand, he can access that area right?
On Jan 31, 5:21 pm, mdipierro <[email protected]> wrote:
> All auth does on successful login is:
>
> from gluon.storage import Storage
> session.auth=Storage()
> session.auth.user = db(db.auth_user.id==logged_in_user_id).select
> ().first()
> session.auth.user_id = session.auth.user.id
> session.auth.last_visit = request.now
>
> set session.auth=None on logout.
>
> On Jan 31, 9:08 am, Jon Romero <[email protected]> wrote:
>
> > I have created a new facebook connect plugin where the user can login
> > to auth using FBConnect.
> > The thing that I am doing is after the user has logged in (and I have
> > his fb_uid) I create a new session like this:
>
> > if not auth.is_logged_in():
> > user_obj =
> > Storage(user_table._filter_fields(Users.find_by_id
> > (user_id)[0], id=True))
> > session.auth = Storage(user=user_obj,
> > last_visit=request.now,
> > expiration=2600)
>
> > where Users.find_by_id(user_id) assume it's db(db.users.id ==
> > user_id).select()
>
> > Even though it seems to work, I don't think it is correct (because if
> > it is THAT simple for everyone to
> > create an auth object then he can hack the system).
>
> > I checked the auth.requires_login but I couldn't figure it out.
>
> > So, how can I create a new session programmatically (like the login
> > page does)?
--
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en.
