OK, I updated the book again.
On Friday, June 1, 2012 10:43:42 AM UTC-4, Massimo Di Pierro wrote: > > There is a major problem with the VPS that hosts the book. It is down and > can no longer login into it. I am forced to restore it as May 29. This > change will be lost. Sorry Anthony. > > Massimo > > On Thursday, 31 May 2012 23:05:09 UTC-5, Anthony wrote: >> >> Just updated the book: >> http://web2py.com/books/default/chapter/29/9#Access-Control-and-Basic-Authentication >> >> Anthony >> >> On Thursday, May 31, 2012 10:54:50 PM UTC-4, Anthony wrote: >>> >>> Sorry, forgot login_bare adds the user to auth, so it's simpler: >>> >>> auth.settings.allow_basic_login = True >>> auth.basic() >>> if auth.user: >>> etc. >>> >>> Anthony >>> >>> On Thursday, May 31, 2012 10:49:04 PM UTC-4, Anthony wrote: >>>> >>>> If you can confirm that this works, I'll add it to the book. >>>> >>>> On Thursday, May 31, 2012 10:48:21 PM UTC-4, Anthony wrote: >>>>> >>>>> Looks like you can do: >>>>> >>>>> auth.settings.allow_basic_login = True >>>>> auth.user = auth.basic()[2] >>>>> if auth.user: >>>>> etc. >>>>> >>>>> But this doesn't appear to be documented. Perhaps auth.basic() should >>>>> automatically populate auth.user rather than simply returning it as part >>>>> of >>>>> a tuple. >>>>> >>>>> Anthony >>>>> >>>>> On Thursday, May 31, 2012 10:12:14 PM UTC-4, G. Clifford Williams >>>>> wrote: >>>>>> >>>>>> Given the following code snippet in a controller (default or any >>>>>> other): >>>>>> >>>>>> auth.settings.allow_basic_login = True >>>>>> def howdy(): >>>>>> auth.settings.allow_basic_login = True >>>>>> response.view = 'generic.json' >>>>>> if auth.user: >>>>>> this_user = auth.user.id >>>>>> else: >>>>>> this_user = "unset" >>>>>> return dict(user=this_user) >>>>>> if the controller action is called as such: >>>>>> % curl --user '[email protected]:supersecretpassword' >>>>>> http://127.0.0.1:8000/myapp/controller/howdy >>>>>> >>>>>> this response you'll get it this: >>>>>> {"user": "unset"} >>>>>> >>>>>> The same goes for using auth.is_logged_in(): >>>>>> >>>>>> The result is different, however, when you use one of the 'requires' >>>>>> decorators: >>>>>> >>>>>> auth.settings.allow_basic_login = True >>>>>> >>>>>> def howdy(): >>>>>> auth.settings.allow_basic_login = True >>>>>> @auth.requires_login() >>>>>> def proforma(): >>>>>> pass #empty function just to invoke auth.requires >>>>>> proforma() #call empty function >>>>>> response.view = 'generic.json' >>>>>> if auth.user: >>>>>> this_user = auth.user.id >>>>>> else: >>>>>> this_user = "unset" >>>>>> return dict(user=this_user) >>>>>> this results in: >>>>>> % curl --user '[email protected]:supersecretpassword' >>>>>> http://127.0.0.1:8000/myapp/controller/howdy >>>>>> {"user": 1} >>>>>> >>>>>> After some digging I discovered that in tools.py auth.requires_* ends >>>>>> up calling login_bare which is why the second one works. I realize that >>>>>> according to the book ( >>>>>> http://web2py.com/books/default/chapter/29/9?search=login_bare) >>>>>> login_bare() can be called to login the user "manually". Unfortunately >>>>>> the >>>>>> examples for auth.settings.allow_basic_login in the manual/book ( >>>>>> http://web2py.com/books/default/chapter/29/9#Access-Control-and-Basic-Authentication, >>>>>> >>>>>> http://web2py.com/books/default/chapter/29/9#Settings-and-messages , >>>>>> & http://web2py.com/books/default/chapter/29/10#Access-Control) >>>>>> don't address the fact that no login is actually executed without the >>>>>> decorators. With the last example if someone wanted to use that as a >>>>>> guide >>>>>> they might think that changing: >>>>>> >>>>>> @auth.requires_login() >>>>>> @request.restful() >>>>>> def api(): >>>>>> def GET(s): >>>>>> return 'access granted, you said %s' % s >>>>>> return locals() >>>>>> >>>>>> to: >>>>>> >>>>>> >>>>>> @request.restful() >>>>>> def api(): >>>>>> def GET(s): >>>>>> >>>>>> if auth.is_logged_in(): >>>>>> return 'access granted, you said %s' % s >>>>>> >>>>>> else: >>>>>> >>>>>> return 'access denied' >>>>>> return locals() >>>>>> >>>>>> >>>>>> Should work, but they would be mistaken (and likely to spend much >>>>>> time trying to figure out why one worked and the other did not). I don't >>>>>> know whether it was the intention that using basic auth prevent a call >>>>>> to >>>>>> log the user in by default. It seems that either the code should be >>>>>> fixed >>>>>> or we should update the documentation to clarify that login_bare() >>>>>> should >>>>>> be called explicitly (directly or indirectly) to actually execute the >>>>>> login >>>>>> process. >>>>>> >>>>>>
