This is a consequence of using RedirectingFormPlugin, the only repoze.who
challenger which has to reach the application to challenge (this is, display
the login form). While using this plugin there's *nothing* else you can do --
you are protecting the whole application, how is repoze.who supposed to reach
the controller action that displays the login form then?
If you don't like the workaround, you have to change the plugin (use something
like the built-in FormPlugin or write your own).
But keep in mind that in spite of this drawback, RedirectingFormPlugin-like
forms are developer-friendlier than others.
Cheers.
On Wednesday February 18, 2009 05:11:06 cd34 wrote:
> Is there ever a situation when a login method needs to be behind an
> authenticated area? Perhaps if a user logs in as an editor, then
> needs to log in as a manager, perhaps you would have that double
> authorization request. From what I see, repoze actually would replace
> the current credentials with the new privileges and starting a new
> auth session rather than adding the extra group membership.
>
> The login page should clear any existing credentials and prompt the
> user for login information and shouldn't be password protected.
> Otherwise you have to decorate every method in your RootController
> with:
>
> @require(predicates.has_permission('manage', msg=_('Only for
> managers')))
>
> except for the login and logout?
>
> So, if someone needs to protect an application, they protect the
> subcontrollers with one method, and the defined pages in the root
> controller a separate way?
>
> perhaps something like:
>
> allowed_request_url = ['/login', '/login_handler', '/
> post_login_handler', '/logout', '/post_logout_handler']
>
> if pylons.request.path in allowed_request_url:
> return True
>
> or a proper fix.
>
> The current implementation seems to stray from the DRY method.
--
When did any of us suggested such thing?
> which seems quite a bit more complex than including the above line
> once.
>
> Which of the plugins from here:
>
> http://static.repoze.org/whodocs/narr.html#module-repoze.who.plugins.sql
>
> should I be using where I can specify the allow_only on the root
> controller and have the entire application protected?
I already said that if you do want to protect the whole application and don't
want the simple and clear workaround I suggested, then you can use *any*
repoze.who challenger, except those based on the RedirectingFormPlugin.
> Are there other frameworks that put the login page behind an AAA
> method?
You don't seem to understand what is going on:
repoze.who is a WSGI middleware for authentication, used by default in TG2
applications. Because of the way TG2 configures authentication by default, for
the user to be authenticated, one of the application's controller actions must
be called. So, when authorization is denied and the user is anonymous,
repoze.who middleware catches the authorization denial exception and redirects
the user to the login form... But if you protected the login form too, there's
no way that the user will be able to log in.
*But*, if you use a different repoze.who challenger, when authorization is
denied and the user is anonymous, the repoze.who middleware catches the
authorization denial exception and the middleware *itself* renders the login
form (or an HTTP authentication prompt) -- without ever reaching the WSGI
application, so it doesn't matter if it's totally protected.
Cheers.
repoze.who is all the middleware you need, the question is what repoze.who
challenger and the answer is: You can use *any* repoze.who challenger (e.g.,
BasicAuthPlugin, FormPlugin, RedirectingFormPlugin).
The only thing to keep in mind is that if you want to use a
RedirectingFormPlugin-based challenger, your application-wide access rule must
always grant access to authentication-related URLs.
I just created a ticket so that we won't forget:
http://trac.turbogears.org/ticket/2218