auth.login() does not return input value (username) on error, if auth.define_tables(username=True).

[Mark Li]

After submitting a failed login attempt with auth.login(), the failed username input is not returned (it is cleared out). This is not a problem when auth.define_tables(username=False), which would return the failed email input upon login error. But, when username=True, the form no longer returns the failed input after a login error. This would be an important issue for users, because they don't see their failed credentials that they previously typed (excluding the password).

I added a print request.function to the model, and after a failed login attempt (with auth.define_tables(username=True)), there is a double redirect, which seemed to cause problems previously as well: https://groups.google.com/forum/#!searchin/web2py/auth.login$20return$20username/web2py/9omfJYNoOC8/RrLOgeXENvMJ

[Mark Li]

My previous post was somewhat off.

Actually, what happens is that if the form passes validation, but has incorrect login credentials, auth.login() will trigger a redirect with the following code:

redirect(self.url(args=request.args, vars=request.get_vars),
                            client_side=settings.client_side)

Upon redirect, the form.vars are lost, and thus the form is no pre-populated with the previously typed in value. This redirect does not occur if the form does not pass validation (such as having an invalid email), and thus the returned form still has form.vars

If the login credentials are incorrect, the returned form should have all the previously typed in values (except for the password for security reasons), so the user can see where they made the error. If you return a blank form, the user must guess what they typed in the username/email input, which is needlessly frustrating.

[Mark Li]

Is there a reason for this behavior? Or is it a bug?

[Mark Li]

I posted a google code ticket in case anyone else stumbles across this: https://code.google.com/p/web2py/issues/detail?id=1987

For now, I will directly alter the form HTML to include the values for username/email input after a failed login.

[Leonel Câmara]

Humm I had to add keepvalues=True (there could be an auth.settings.keepvalues) to the form.accepts and remove the redirect replacing it with a return form.

Basically:

                if form.accepts(request, session if self.csrf_prevention else None,

                                formname='login', dbio=False,

                                onvalidation=onvalidation,

                                hideerror=settings.hideerror, keepvalues=True):

               (....)

                    if not user:

                        self.log_event(self.messages['login_failed_log'],

                                       request.post_vars)

                        # invalid login

                        session.flash = self.messages.invalid_login

                        callback(onfail, None)

                        #redirect(

                        #    self.url(args=request.args, vars=request.get_vars),

                        #    client_side=settings.client_side)

                        return form

Why are we redirecting anyway?

[Mark Li]

Feel like this should be the default behavior, although I'm not sure if there's a particular reason for redirecting as opposed to returning a form.

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/gXBfCGki9ns/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.