just as a general guide line i would always try to implement as much as possible via roles and permissions.
in this case i would suggest a role of perhaps Authenticated, Verified and Anyonmous and then assign permissions to the views as your business logic seems fit. this reduces the problem scope to assigning the Verified role, perhaps in a custom callback. just a quick thought, hope it helps. cheers, tom > On 12 Jan 2015, at 22:33, Theron Luhn <the...@luhn.com> wrote: > > I'm working on authorization+authentication for my webapp. The login has a > "remember" feature so users don't have to log in each visit. As best > practice, any sensitive features (password changing, user management, > billing, etc.) should require a user to verify their password before > continuing. That way a malicious individual couldn't wreak too much havoc if > a user clicks "remember me" on a public terminal, for example. > > I'm trying to figure out a way to implement this with Pyramid's > authentication+authorization mechanisms. A simple custom authentication > policy is sufficient to declare a user as "verified" or "unverified", and the > ACL authorization policy can limit access to the sensitive features to > verified users. However, I can't figure out how to take the appropriate > action when access is denied. Depending on the state of the session, I need > to do one of three things: > No authenticated session — Redirect user to login form > "Unverified" session and attempting to access sensitive feature — Redirect > user to verify password form > Everything else — Show a 403 Forbidden error page. > Any ideas on how I could achieve this? > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discuss+unsubscr...@googlegroups.com > <mailto:pylons-discuss+unsubscr...@googlegroups.com>. > To post to this group, send email to pylons-discuss@googlegroups.com > <mailto:pylons-discuss@googlegroups.com>. > Visit this group at http://groups.google.com/group/pylons-discuss > <http://groups.google.com/group/pylons-discuss>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
