Verifying user password
77 views
Skip to first unread message
Theron Luhn
Jan 12, 2015, 4:33:48 PM1/12/15
to pylons-...@googlegroups.com
I'm working on authorization+authentication for my webapp. The login has a "remember" feature so users don't have to log in each visit. As best practice, any sensitive features (password changing, user management, billing, etc.) should require a user to verify their password before continuing. That way a malicious individual couldn't wreak too much havoc if a user clicks "remember me" on a public terminal, for example.
I'm trying to figure out a way to implement this with Pyramid's authentication+authorization mechanisms. A simple custom authentication policy is sufficient to declare a user as "verified" or "unverified", and the ACL authorization policy can limit access to the sensitive features to verified users. However, I can't figure out how to take the appropriate action when access is denied. Depending on the state of the session, I need to do one of three things:
- No authenticated session — Redirect user to login form
- "Unverified" session and attempting to access sensitive feature — Redirect user to verify password form
- Everything else — Show a 403 Forbidden error page.
Any ideas on how I could achieve this?
Tom Lazar
Jan 13, 2015, 7:31:37 AM1/13/15
to pylons-...@googlegroups.com
just as a general guide line i would always try to implement as much as possible via roles and permissions.
in this case i would suggest a role of perhaps Authenticated, Verified and Anyonmous and then assign permissions to the views as your business logic seems fit.
this reduces the problem scope to assigning the Verified role, perhaps in a custom callback.
just a quick thought, hope it helps.
cheers,
tom
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.
Arndt Droullier
Jan 13, 2015, 8:37:55 AM1/13/15
to Pyramid on google groups
Handling redirects in case security checks fail is quite easy. For eample the following will set up
a redirect:
#------------------------------------------------------------
from pyramid.exceptions import Forbidden
from pyramid.httpexceptions import HTTPFound
def forbidden_view(forbiddenResponse, request):
return HTTPFound(location='loginform')
def main():
# pyramid view configuration
config.add_view(forbidden_view, context=Forbidden)
#------------------------------------------------------------
Passwort verification itself is not part of pyramids api. It is handled by your user management.
At least pyramids default AuthTktAuthenticationPolicy and ACLAuthorizationPolicy has nothing
to do with passwords.
The password should be validated before you call remember.
After that to check user authentication you can use
request.authenticated_userid
and
request.unauthenticated_userid
The second will give you the username even if the user session (stored in a cookie for example)
has expired.
Hope this helps, Arndt.
Nive open source releases - http://os.nive.co
Theron Luhn
Jan 13, 2015, 12:09:27 PM1/13/15
to Pyramid on google groups
I already know how to set up the authentication and authorization—That's no problem. What I don't know how to do is take the correct behavior when access is denied. AFAIK in the Forbidden view there's no context as to why access to the resource is forbidden. I don't want to ask a user to verify their password if access will be denied to the requested resource regardless of whether they're verified or not.
You received this message because you are subscribed to a topic in the Google Groups "pylons-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pylons-discuss/h9k__SG-qbA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pylons-discus...@googlegroups.com.
Theron Luhn
Jan 13, 2015, 12:13:07 PM1/13/15
to Theron Luhn, Pyramid on google groups
Just discovered that context.result in the forbidden view will be an ACLDenied object. I might be able to work with that. I'll played around with it and report back.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.
--Nive open source releases - http://os.nive.co
You received this message because you are subscribed to a topic in the Google Groups "pylons-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pylons-discuss/h9k__SG-qbA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pylons-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
Jonathan Vanasco
Jan 13, 2015, 2:51:24 PM1/13/15
to pylons-...@googlegroups.com
I'd be interested to know how you eventually achieve this, so please post an update!
I ran into the same problem a few years ago, and the Auth docs weren't really written yet... so I just ditched Pyramid's Auth system and we built our own.
I ran into the same problem a few years ago, and the Auth docs weren't really written yet... so I just ditched Pyramid's Auth system and we built our own.
Theron Luhn
Jan 28, 2015, 2:01:00 PM1/28/15
to pylons-...@googlegroups.com
Here's what I ended up doing. Works nicely. https://gist.github.com/luhn/47d418a04186e8740585
On Tue Jan 13 2015 at 11:51:28 AM Jonathan Vanasco <jona...@findmeon.com> wrote:
I'd be interested to know how you eventually achieve this, so please post an update!
I ran into the same problem a few years ago, and the Auth docs weren't really written yet... so I just ditched Pyramid's Auth system and we built our own.
--
You received this message because you are subscribed to a topic in the Google Groups "pylons-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pylons-discuss/h9k__SG-qbA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages