Message from discussion
No redirect when not enough credentials
Received: by 10.35.13.4 with SMTP id q4mr3656505pyi.7.1209048251047;
Thu, 24 Apr 2008 07:44:11 -0700 (PDT)
Return-Path: <chris.ar...@web.de>
Received: from fmmailgate03.web.de (fmmailgate03.web.de [217.72.192.234])
by mx.google.com with ESMTP id z53si472657pyg.1.2008.04.24.07.44.10;
Thu, 24 Apr 2008 07:44:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of chris.ar...@web.de designates 217.72.192.234 as permitted sender) client-ip=217.72.192.234;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of chris.ar...@web.de designates 217.72.192.234 as permitted sender) smtp.mail=chris.ar...@web.de
Received: from smtp07.web.de (fmsmtp07.dlan.cinetic.de [172.20.5.215])
by fmmailgate03.web.de (Postfix) with ESMTP id C3475D850995
for <turbogears@googlegroups.com>; Thu, 24 Apr 2008 16:44:09 +0200 (CEST)
Received: from [81.173.176.200] (helo=c106.paddyland.lan)
by smtp07.web.de with asmtp (WEB.DE 4.109 #226)
id 1Jp2gD-0001Kg-00
for turbogears@googlegroups.com; Thu, 24 Apr 2008 16:44:09 +0200
Message-ID: <48109CC1.8050506@web.de>
Date: Thu, 24 Apr 2008 16:44:17 +0200
From: Christopher Arndt <chris.ar...@web.de>
User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213)
MIME-Version: 1.0
To: turbogears@googlegroups.com
Subject: Re: No redirect when not enough credentials
References: <bb8b59590804240537i65b0b261jd780a728434f7be9@mail.gmail.com>
In-Reply-To: <bb8b59590804240537i65b0b261jd780a728434f7be9@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: chris.ar...@web.de
X-Sender: chris.ar...@web.de
X-Provags-ID: V01U2FsdGVkX19vqptcc0X1dm5NKL++xqvYo8n8VvhqtCG6RFqw
LcTgNCghifwoZj5A8F1/ImwnjdkK6UEW72pc8/gKMa5LXZLcsd
13wepxTAE=
Cecil Westerhof schrieb:
> I have been playing with TG for two days now and I must say that untill
> now I like it. ;-}
>
> With the identity module you go to a login page when you do not have
> enough credentials. Is it possible to make a difference between a user
> that is not logged in (login page) and a logged in user that has not
> enough credentials (entry denied)?
Yes, you can, but this is a feature of the identity framework that isn't
really documented well (i.e not at all ;-)).
You can set the configuration setting 'identity.failure_url' to a
callable, which will get evaluated every time an IdentityFailure
exception occurs. In this function you can then check
a) if the the user is anonymous (not logged in)
b) what the error message(s) of the IdentityFailure exception are
and then return different URLs depending on this info.
Example (untested):
def failure_url():
if (identity.current.not_anonymous and
'foo' in cherrypy.request.identity_errors):
return url('/access_denied')
return url('/login')
See the code for 'turbogears.identity.exceptions' (set_identity_errors,
IdentityFailure) and turbogears.identity.conditions (Predicate, require)
for particulars.
As a simpler, but less general alternative, you can test for the
required permissions *within* your controller method and then just do
the redirect yourself. If you are just redirecting to a "Access denied"
page, you probably don't need to care about retaining request parameters
across redirects.
Example (also untested):
class MyController(controllers.Controller, identity.SecureResource):
@expose('bla')
def bla(self):
if not 'foo' in identity.current.permissions:
if identity.current.not_anonymous:
redirect('/access_denied')
raise identity.IdentityFailure
See also
http://docs.turbogears.org/1.0/UsingIdentity#explicit-permission-checking
HTH, Chris
|
