No redirect when not enough credentials - TurboGears

Message from discussion No redirect when not enough credentials
Received-SPF: pass (google.com: domain of szybal...@gmail.com designates 64.233.166.179 as permitted sender) client-ip=64.233.166.179;
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=xY4ClZauegP5BxTNds67EznjwTa7Tq5K9BTvWw7cx22zNb0WFagXggGS73ZL2wmkCoi69RxBAs/xvi5oxhEAM9n+Jb832Uh7mUKNpmAXFnkk400Dh2H6BtrQuF30COsZ5nGWtFC+16a/ZaU0t0oqKCbzjrL5H7HpKOWbKsPA3oc=
Message-ID: <804e5c70804241158v11e93543j1493f076eb83f7f7@mail.gmail.com>
Date: Thu, 24 Apr 2008 13:58:58 -0500
From: "Lukasz Szybalski" <szybal...@gmail.com>
To: turbogears@googlegroups.com
Subject: Re: [TurboGears] Re: No redirect when not enough credentials
In-Reply-To: <48109CC1.8050...@web.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <bb8b59590804240537i65b0b261jd780a728434f7...@mail.gmail.com>
	 <48109CC1.8050...@web.de>

On Thu, Apr 24, 2008 at 9:44 AM, Christopher Arndt <chris.ar...@web.de> wrote:
>
>  Cecil Westerhof schrieb:
>
> > I have been playing with TG for two days now and I must say that untill
>  > now I like it. ;-}
>  >
>  > With the identity module you go to a login page when you do not have
>  > enough credentials. Is it possible to make a difference between a user
>  > that is not logged in (login page) and a logged in user that has not
>  > enough credentials (entry denied)?
>
>  Yes, you can, but this is a feature of the identity framework that isn't
>  really documented well (i.e not at all ;-)).
>
>  You can set the configuration setting 'identity.failure_url' to a
>  callable, which will get evaluated every time an IdentityFailure
>  exception occurs. In this function you can then check
>
>  a) if the the user is anonymous (not logged in)
>  b) what the error message(s) of the IdentityFailure exception are
>
>  and then return different URLs depending on this info.
>
>  Example (untested):
>
>  def failure_url():
>      if (identity.current.not_anonymous and
>         'foo' in cherrypy.request.identity_errors):
>         return url('/access_denied')
>      return url('/login')
>
>  See the code for 'turbogears.identity.exceptions' (set_identity_errors,
>  IdentityFailure) and turbogears.identity.conditions (Predicate, require)
>  for particulars.
>
>
>  As a simpler, but less general alternative, you can test for the
>  required permissions *within* your controller method and then just do
>  the redirect yourself. If you are just redirecting to a "Access denied"
>  page, you probably don't need to care about retaining request parameters
>  across redirects.
>
>  Example (also untested):
>
>  class MyController(controllers.Controller, identity.SecureResource):
>      @expose('bla')
>      def bla(self):
>          if not 'foo' in identity.current.permissions:
>              if identity.current.not_anonymous:
>                  redirect('/access_denied')
>              raise identity.IdentityFailure
>
Hello Christopher,
Would be nice if what you wrote here was added to the .py file that
has the code.

http://lucasmanual.com/tgdocs/turbogears.identity.exceptions-pysrc.html#IdentityFailure.__init__

Just wondering, what is your / TG project preference when documenting
things like this. I'm sure you could copy what you wrote here in the
email and paste it to turbogears/identity/exceptions.py comment
section, and that would be painless.

Lucas