Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #699 (closed defect: wontfix)

Opened 13 years ago

Last modified 12 years ago

Making Root sublcass identity.SecureResource produces an infinite recursive loop

Reported by: bjourne@… Owned by: anonymous
Priority: normal Milestone:
Component: Identity Version:
Severity: major Keywords:
Cc: jeff

Description

A controller like this (mostly quickstarted boilerplate):

import cherrypy
import turbogears
from turbogears import controllers
from turbogears import identity

class Root(controllers.RootController, identity.SecureResource):
    require = identity.in_group("admin")
    
    @turbogears.expose(template="identitiy.templates.welcome")
    def index(self):
        import time
        return dict(now=time.ctime())

    @turbogears.expose(html="identitiy.templates.login")
    def login(self, forward_url=None, previous_url=None, *args, **kw):

        if not identity.current.anonymous and identity.was_login_attempted():
            raise turbogears.redirect( forward_url )

        forward_url=None
        previous_url= cherrypy.request.path

        if identity.was_login_attempted():
            msg= _("The credentials you supplied were not correct or "\
                   "did not grant access to this resource.")
        elif identity.get_identity_errors():
            msg= _("You must provide your credentials before accessing "\
                   "this resource.")
        else:
            msg= _("Please log in.")
            forward_url= cherrypy.request.headers.get("Referer", "/")
        cherrypy.response.status=403
        return dict(message=msg, previous_url=previous_url, logging_in=True,
                    original_parameters=cherrypy.request.params,
                    forward_url=forward_url)

Produces an infinite recursive loop that shows up like this on the console:

2006-03-31 11:00:38,458 turbogears.identity DEBUG Retrieving identity for visit: 3
2006-03-31 11:00:38,459 turbogears.identity INFO Identity is available...
2006-03-31 11:00:38,461 turbogears.identity DEBUG Retrieving identity for visit: 3
2006-03-31 11:00:38,462 turbogears.identity INFO Identity is available...
2006-03-31 11:00:38,465 turbogears.identity DEBUG Retrieving identity for visit: 3
2006-03-31 11:00:38,465 turbogears.identity INFO Identity is available...

Change History

comment:1 Changed 13 years ago by anonymous

  • Cc jeff added

comment:2 Changed 13 years ago by plewis

I think this may be a case of "don't do that". Here is the probable progression, I'm guessing a little bit.

1) User hits the url "/" unauthenticated. Identity redirects user to "identity.failure_url", which is probably "/login" (just guessing).

2) The /login controller is protected (only admins can hit it), so identity tries again (redirect to "/login"). Repeat forever.

Something could be done to trap the recursion, but in essence identity is doing what you asked it to do; don't let anyone who isn't an admin see any controllers attached to Root, and this includes the /login controller.

If you really want to do this, you are going to need to authenticate the user outside of the root controller somehow (perhaps a static form or a page outside of the turbogears app).

comment:3 Changed 13 years ago by jeff

  • Status changed from new to closed
  • Resolution set to wontfix

I agree with Patrick on this one. If you want your root controller to be secure, you're going to have to authenticate somewhere else.

The only thing I would consider (and I simply don't know how to do this) is putting a check in SecureResource? and throwing an exception if the object is also an instance of RootController?.

Note: See TracTickets for help on using tickets.