Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2277 (closed defect: fixed)

Opened 10 years ago

Last modified 9 years ago

Authz notification (WebFlash) messages are broken when TG2 doesn't configures Repoze auth software

Reported by: Gustavo Owned by:
Priority: high Milestone: 2.1a3
Component: TurboGears Version: 2.0b7
Severity: critical Keywords: WebFlash, repoze, auth

Description (last modified by Gustavo) (diff)

If I configure repoze.who and repoze.what manually, when authorization is denied I can't see the reason flashed anymore.

Everything else works perfectly, I can even see the reason printed in the logs, but WebFlash's cookie isn't set and thus that message is not printed in the page.

To reproduce it:

  1. Tell TG not to configure Repoze auth middleware by removing/commenting the following line in yourapp/config/app_cfg.py:
    base_config.auth_backend = 'sqlalchemy'
  2. Add the middleware through the following function (define it in yourapp/config/auth.py):
    from logging import INFO, getLogger
    from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
    from repoze.who.plugins.sa import (SQLAlchemyUserMDPlugin, 
    from repoze.who.plugins.friendlyform import FriendlyFormPlugin
    from repoze.what.middleware import setup_auth
    from repoze.what.plugins.sql import SqlGroupsAdapter, SqlPermissionsAdapter
    from yourapp.model import User, Group, Permission, DBSession
    def add_auth(app):
        """Add Repoze auth middleware to ``app``"""
        # --- Configuring repoze.who:
        who_args = {}
        # Adding the identifier plugins:
        cookie = AuthTktCookiePlugin(secret='secret',
        form = FriendlyFormPlugin(
        who_args['identifiers'] = [
            ('cookie', cookie),
            ('main_identifier', form)]
        # Adding authenticators:
        sql_authn = SQLAlchemyAuthenticatorPlugin(User,
        who_args['authenticators'] = [
            ('sql_authn', sql_authn)]
        # Our form is also a challenger:
        who_args['challengers'] = [
            ('form', form)]
        # Adding metadata providers:
        sql_user_md = SQLAlchemyUserMDPlugin(User, DBSession)
        who_args['mdproviders'] = [
            ('sql_user', sql_user_md)]
        # Setting the logs up:
        who_args['log_stream'] = getLogger('auth')
        who_args['log_level'] = INFO
        # --- Configuring repoze.what:
        # Adding group source adapters:
        groups_in_db = SqlGroupsAdapter(Group, User, DBSession)
        group_adapters = {'sql_groups': groups_in_db}
        # Adding permission source adapters:
        perms_in_db = SqlPermissionsAdapter(Permission, Group,
        permission_adapters = {'sql_perms': perms_in_db}
        app_with_mw = setup_auth(app, group_adapters, 
        return app_with_mw
  3. Go to yourapp/config/middleware and add the middleware:
    from yourapp.config.app_cfg import base_config
    from yourapp.config.environment import load_environment
    from yourapp.config.auth import add_auth
    __all__ = ['make_app']
    make_base_app = base_config.setup_tg_wsgi_app(load_environment)
    def make_app(global_conf, full_stack=True, **app_conf):
        app = make_base_app(global_conf, full_stack=True, **app_conf)
        # Wrap your base TurboGears 2 application with custom middleware here
        app = add_auth(app)
        return app

Finally, visit a protected page like and you'll see that the reason why authorization was denied is no longer flashed. This only fails when we're redirected to the login form.

I already tried to find what's wrong, but I couldn't. I have the feeling that it's something microscopical.

Change History

comment:1 Changed 10 years ago by Gustavo

  • Description modified (diff)

Only is 401 pages

comment:2 Changed 10 years ago by mramm

  • Priority changed from high to low

comment:3 Changed 10 years ago by mramm

Perhaps this has to do with where you are sticking auth in the stack?

Also, I'm a bit unclear about where the webflash messages should be generated in this setup, are you still using the tg.decorators.require? In that case I don't think the wsgi stack order is the issue, but I also don't have any clues...

comment:4 Changed 10 years ago by percious

  • Priority changed from low to highest

comment:5 Changed 10 years ago by percious

  • Priority changed from highest to high

comment:6 Changed 9 years ago by percious

  • Status changed from new to closed
  • Resolution set to fixed

I believe this has been fixed with the latest refactor of the config. Please feel free to reopen the ticket with updated information if this is not the case.

Note: See TracTickets for help on using tickets.