Note, even if you build your own system for tracking login in the session,
you can still use the Auth decorators. For example, if a logged in user has
something like logged_in=True in the session, you could do:
@auth.requires(session.logged_in, requires_login=False)
def myfunction():
etc.
The requires_login=False may seem misleading, but that just means the usual
Auth login is not required (by default, @auth.requires() does require
standard login, in addition to whatever the required condition is).
If you put an object called "auth" in the session with auth.last_visit and
auth.user attributes, you can even use the standard @auth.requires_login()
decorator (all it does is check for auth.user in the session). Check the
logic here: http://code.google.com/p/web2py/source/browse/gluon/tools.py#902
.
Anthony
On Sunday, July 15, 2012 2:30:36 PM UTC-4, Pystar wrote:
>
> ok, lets see how that goes
>
> On Sun, Jul 15, 2012 at 7:28 PM, Jonathan Lundell <[email protected]>wrote:
>
>> On 15 Jul 2012, at 11:13 AM, Ehigie Aito wrote:
>>
>> only when the session expires according to web2py rules or the user
>> explicitly logs off
>>
>>
>> I'm thinking that it's overkill, and more trouble than it's worth, to use
>> web2py's Auth subsystem for this kind of authentication. Track the
>> authentication state in the session, and write your own Auth class that
>> implements what you need. Maybe call it something else to avoid confusion
>> (and you might want to use gluon.tools.Auth for your administrative
>> accounts anyway).
>>
>> A session then has an initial state, a password-sent state, and a
>> logged-in state (plus perhaps some housekeeping, like a failure count).
>>
>> No doubt you *could* hack around gluon.tools.Auth, but it doesn't seem
>> like it'd be less work.
>>
>>
>> On Sun, Jul 15, 2012 at 7:12 PM, Jonathan Lundell <[email protected]>wrote:
>>
>>> On 15 Jul 2012, at 11:10 AM, Ehigie Aito wrote:
>>>
>>> Just the telephone number and nothing else.
>>>
>>>
>>> And how persistent is the login? At what point do I as a user have to go
>>> through the SMS handshake again?
>>>
>>>
>>> On Sun, Jul 15, 2012 at 4:48 PM, Jonathan Lundell <[email protected]>
>>> wrote:
>>>
>>>> On 15 Jul 2012, at 6:48 AM, Pystar wrote:
>>>>
>>>> I am confused on how to implement this strange authentication mechanism
>>>> and incorporate it into web2py and make it work natively.
>>>> Take this as an example of how it would work:
>>>> There is no registration on the site, whenever a user wants to login to
>>>> perform any action, he clicks in the login button, which takes him to a
>>>> form where he enters his phone number and a random alphanumeric code is
>>>> generated and sent to his phone which he now enters and gets authenticated
>>>> and he can now perform whatever action he wants.
>>>> How do I get this to play with login_bare() and @auth.requires_login()?
>>>>
>>>>
>>>> A couple of questions.
>>>>
>>>> Does the user enter anything other than the phone number (and later the
>>>> code) as part of the login/auth process?
>>>>
>>>> How persistent is the login?
>>>>
>>>>
>>>
>>>
>>
>>
>>
>
