provide better example of how to use forbidden exception in tutorials #433
Comments
|
I agree with the above, I suppose, although in reality what the login-form-invoked-as-the-result-of-an-HTTPForbidden-when-the-user-already-is-not-just-Everyone could say is "your current credentials do not allow you to perform the specified operation, but you can try to log in with another set of credentials if you like, and the operation will then be performed if those credentials are permitted to perform the operation". This is also the answer to the second question above. |
|
Please see related issue #436 |
|
Disregarding #436 temporarily (that issue could go on for weeks), can someone suggest some concrete changes to the tutorial that makes it "more correct" or whatever without requiring changes to Pyramid. |
|
I’m writing something along these lines: I have a special template to prompt people to log in when AuthTktAuthenticationPolicy raises HTTPForbidden, and I want another template to be used when ACLAuthorizationPolicy denies a user. Permissions are not predicate parameters but effective_principal is, so if I am successful with that (and thus get things working with two view_configs intead of an ugly if in one view), I’ll report here. Reading the linked bug about 401 vs. 403 sure was enlightening :) |
|
That’s a raw copy-paste of what I did: @view_config(context=HTTPForbidden,
permission=NO_PERMISSION_REQUIRED,
renderer='login.mako')
def login_button(context, request):
"""Special template is used when not logged in."""
# preserve status code
request.response.status_code = context.code
return {}
@view_config(context=HTTPForbidden,
effective_principals=Authenticated,
# no permission is needed because of default permission 'view'
permission=NO_PERMISSION_REQUIRED,
renderer='denied.mako')
def forbidden_message(context, request):
"""Template body used for denied actions.
For historical reasons, the authn system in Pyramid raises
HTTPForbidden instead of the arguably more correct HTTPUnauthorized
exception, so we need custom predicates to make a difference between
"not logged in" (login_button) and "not authorized" (this view).
"""
request.response.status_code = context.code
return {} |
|
The wiki2 tutorial (#2024) was rewritten to use a proper forbidden view that redirects to the login view. Marking this as completed. |
Currently the tutorial describes a poor way to use the forbidden exception. The exception should be caught by a dedicated view that can handle authentication because usually it's a bad idea to display the login view for a user who is already logged in... which is what the current code does. Also, what's the point of having a "login url" if we are just displaying the login template at the url of the content, instead of redirecting the user to the login url.
http://docs.pylonsproject.org/projects/pyramid/en/1.3-branch/tutorials/wiki2/authorization.html#adding-login-and-logout-views
The text was updated successfully, but these errors were encountered: