Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2089 (closed defect: duplicate)

Opened 10 years ago

Last modified 10 years ago

Write a repoze.who challenge decider

Reported by: Gustavo Owned by: Gustavo
Priority: high Milestone: 2.0b5
Component: TurboGears Version: trunk
Severity: critical Keywords: repoze.who, auth, quickstart


Quickstarted TG2 applications use the default repoze.who challenge decider, which will request a challenger (e.g., display login form) simply based on whether the downstream WSGI application rejected the request (e.g., a predicate not met if using repoze.what).

As a result, if a logged in user tries to access an action whose predicate is not met (e.g., an editor and an action that requires "admin" rights), she will get the login form instead of a message that notifies her that she's not allowed to see that page.

So, we need a challenger decider which acts like the default one, except that if the user has been authenticated it won't request a challenge (but then we'll also have to handle the failure by flashing the error to the user).

Change History

comment:1 Changed 10 years ago by mramm

  • Milestone changed from 2.0b1 to 2.0b2

comment:2 Changed 10 years ago by mramm

  • Milestone changed from 2.0b2 to 2.0b3

comment:3 Changed 10 years ago by Gustavo

  • Status changed from new to closed
  • Resolution set to duplicate

#2112 is a more extensible solution.

Note: See TracTickets for help on using tickets.