[web2py] Auth - overlapping permissions problem

[Paul Ellis]

the situation is that I have permissions associated with auth_groups. 

eg. user, team leader, business leader, oversight

now I need a "secretary" or "accounts" group which has access to some 
business leader features i.e reports.
Some team leader features ie. price maintainence.
But does not have access to the basic features of normal users.

I can't see how to make an auth_group which has permissions which are 
already associated with another group.

I am hoping for a solution which does not involve hard coding access to 
these features using @auth.has_membership('accounts') as I don't expect 
this to be last case of overlapping permissions.

Ideally I can make an interface where business leaders can make a custom 
permission group and assign it to their employees. Without creating a 
situation where each new employee needs to have a permission allocated for 
every little thing.
i.e. customer maintenence, customer delete, product related permissions, 
product permissions where special knowledge is required...

Is this possible with the Web2py Auth System?

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/e5b39f90-7aa7-4634-b4f9-83fa56e1cdb7o%40googlegroups.com.

[web2py] auth wiki page extra fields

['Cyrus Oktor' via web2py-users]

Hello,
the auth.wiki permits to add extra fields to a wiki page, for instance
auth.settings.extra_fields["wiki_page"] = [Field('cargar', 'upload'), ]
The field appears in the wiki edit menu, but how can it be rendered in the 
view? 
Thank you

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth issues when using ldap

[lbjc1978]

I am trying out the ldap authentication from an app but encountered this 
error:

 File "/home/mau/web2py/gluon/globals.py", line 421, in 
 self._caller = lambda f: f()
 File "/home/mau/web2py/applications/schoop/controllers/default.py" 
, 
line 43, in user
 if con_parameters[0] != request.vars["host"] or request.vars["username"] != 
'admin':
TypeError: 'Auth' object does not support indexing

Here is the code:

if "host" in request.vars:
session.server=request.vars["host"]
session.username=request.vars["username"]
session.password=request.vars["password"]
con_parameters=auth.settings.login_methods[0]#.__defaults__)


"""session.secureAuth = "off"
if request.vars["secureAuth"]=="on":
session.secureAuth= request.vars["secureAuth"]"""


if con_parameters[0] != request.vars["host"] or request.vars[
"username"] != 'admin':
new_parameters=list(con_parameters)
new_parameters[0]=request.vars["host"]



-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth question

[Rahul]

Hey Everyone,
   Greetings! I have a question. I went through Auth documentation and 
understood that we can add extra fields to the Auth tables. However, I 
still want to be a little more clear to achieve below - I am currently 
using three fields for a multi-tenant system like workspace, username and 
password. Here workspace depicts where the user belongs to (see explanation 
in Q1 below) I am currently using my own code to manage this stuff manually 
(almost everything that auth does), now though I want to give Auth a try 
and tailor it to fit my needs. I dont want to maintain that amount of code 
and use the existing API. Can I get help on achieving that in the simplest 
way. If it works, I would switch to using Auth 

* Q1]* How can we use Auth to add one more extra field for authentication 
when I want a system to validate login based on three parameters like - 
Validation needs to be done based on all three parameters specified. For 
each application I can use 'n' number of unique workspaces and 'n' number 
of users would belong to these workspaces. How to do this ?

   1. *workspace *- An alpha numeric field that would store a unique name 
   denoting users belonging to a particular set   (For example users working 
   in a specific  location like los-angeles or washington)  or an office 
   location like michigan, nevada or Zones like north, south  .. sort-of etc. )
   2. *username *- Its available already 
   3. *password *- Its available already
   

*Q2]* Which all tables need to be modified ? 

*Q3] *Any changes in any other code in any files ? 

I know I can clone my app multiple times and support multi-tenancy however, 
if this can be achieved with Auth - that would be great. 

Regards,

*Rahul *

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] web2py auth through AWS cognito

[kryton4567]

I am changing the login authentication to be handled by AWS Cognito and 
require some clarification around the approach as cannot get it to work 
correctly

   1. I have created a class cog_login that has been assigned to the

auth.settings.login_methods = [cog_login]

   1. 
   
   One of the functions that is in the class is called authenticate() that 
   takes username and password arguments that the user enters from the 
   standard web2py forms user/login
   2. 
   
   In the def user() controller in default I have the following:
   
cog_login().authenticate(request.vars.email, request.vars.password)

This queries AWS and returns True if passes, False otherwise.

   1. 
   
   I am not clear on what to do with the True, False response within the 
   def user() as it doesn't seem to populate auth.user which always remains as 
   None.
   2. 
   
   I have tried to force the population of auth.user getting the contents 
   of auth_user, i.e. auth.user = row[0]. This does populate auth.user 
   performing tests auth.is_logged_in() results in a True response.
   
However when continuing through the def user() the standard onlogin 
redirect doesn't forward to the main page indicating web2py isnt recording 
this as authentication accepted.

   1. I have also tried a redirect if "auth.is_logged_in()" but the 
   decorators @auth.requires_login on the main page don't detect the login and 
   redirect back to the login page.

--

Is this approach correct, I seem to be missing a step that knits the 
successful AWS login to Web2py

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth tables rname

[fiubarc]

Hello, somebody knows how to set rname on auth tables?? It is possible 
without redefine each table?? 

I need it because I use Postgres and users in a separete schema.

Thanks!!

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth decorator with rest api

[yogeshwar khalkar]

Hi All,


I was implementing the @auth.requires_login() with @request.restful() but it 
not working.

It redirects me every time even if I am login.


@auth.requires_login()
@request.restful()
def getActivity(): 

def POST():

data = "do Something"

return json(data)

return locals()


Here is my login API


@request.restful()
def login():
def POST():
fields = simplejson.loads(request.body.read())
user = super(Auth, auth).login(**fields)
return json(user)
return locals()


please help me with it.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Manuele Pesenti]

Il 25/03/18 00:51, Patrick Rodrigues ha scritto:
> I was developing the same feature for my website today, and this help
> me a lot.
> In my case I was using Dango Rest Framework, and I was using
> request.data and parsing it to JSON, insted of using request.body.
> But now it works, thank you about this conversation.

Hi Patrick!

Happy to had been useful in some way :)

    M.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Patrick Rodrigues]

I was developing the same feature for my website today, and this help me a 
lot.
In my case I was using Dango Rest Framework, and I was using request.data 
and parsing it to JSON, insted of using request.body.
But now it works, thank you about this conversation.

Em quarta-feira, 28 de fevereiro de 2018 06:51:38 UTC-3, Manuele escreveu:
>
> Hi! 
>
> I need to develop a web service that listen to webhook calls from a 
> woocommerce site, I thought to write a little check class to pass to 
> auth.requires decorator like the following: 
>
>
> class HookCheck(object): 
>  secret = '' 
>
>  def __init__(self): 
>  super(HookCheck, self).__init__() 
>  self() 
>
>  def compute(self, body): 
>  dig = hmac.new(self.secret.encode(), 
>  msg = body.encode(), # your_bytes_string 
>  digestmod = hashlib.sha256 
>  ).digest() 
>  computed = base64.b64encode(dig).decode() 
>  return computed 
>
>  def __call__(self): 
>  signature = ''# <- how can I get from 
> the request headers? 
>  body = request.body.read() # <- Is it the right string to encode? 
>  computed = self.compute(body) 
>  print signature, computed, signature==computed 
>  return signature==computed 
>
>
> @service.json 
> @auth.requires(HookCheck(), requires_login=False) 
> def listenToHooks(): 
>  return {} 
>
>
> can somebody help me to get the correct values of the hook signature and 
> the raw call body to check? 
>
> As far as I know the signature contained in the header field 
> "X-Wc-Webhook-Signature" and I'm not sure if the string from which get 
> the hmac hash is just what I get from the read method of the 
> request.body object. 
>
> thank a lot 
>
>  Manuele 
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Manuele Pesenti]

Il 16/03/18 15:59, Anthony ha scritto:
> I'm not sure if it includes the entire original HTTP message or just
> the request body, but you can try request.env['wsgi.input']. If that
> doesn't work, web2py (and probably any WSGI-compliant framework) would
> not have access to the original HTTP message (which is parsed by the
> web server before passing request data to the web framework/application).
>
> Anthony

Thanks Anthony for your attention,

now I've solved... there was no problem in the procedure but in the
tested data I copied from web services (such as requestb.in or directly
from the woocommerce event log web page) that I didn't notice they were
converting string such as "" into the character €. That's why I
didn't get the correct encoded string.
Directly using what I get from request.body.read() everything worked fine.

Best regards

    Manuele


-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Anthony]

>
> Before to definitely fly to other places where to find answers to my 
> problem I have one little question related with web2py...
> In woocommerce documentation they say this about request signature:
>
> "X-WC-Webhook-Signature - a base64 encoded HMAC-SHA256 hash of the 
> payload."[1]
>
> Till now I interpreted "payload" as the request body... so as the json 
> string I can read simply using `request.body.read()`.
> Could it even be interpreted as the whole send content including the the 
> request header?
>

I would be surprised if that were the case given that (1) order of HTTP 
headers is not supposed to be significant (but would need to be if being 
used to generate a hash) and (2) WSGI applications receive incoming 
requests in the form of an environment dictionary generated by the 
WSGI-compliant web server, not the original HTTP message.
 

> How could it be get or reconstructed from the request storage object?
>

I'm not sure if it includes the entire original HTTP message or just the 
request body, but you can try request.env['wsgi.input']. If that doesn't 
work, web2py (and probably any WSGI-compliant framework) would not have 
access to the original HTTP message (which is parsed by the web server 
before passing request data to the web framework/application).

Anthony

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Manuele Pesenti]

On 15/03/2018 22:17, Manuele Pesenti wrote:

You might be better off getting help from folks who know
WooCommerce, as this issue does not appear to be web2py specific.


Yes for sure! Thanks a lot.

     M.
Before to definitely fly to other places where to find answers to my 
problem I have one little question related with web2py...

In woocommerce documentation they say this about request signature:

"X-WC-Webhook-Signature - a base64 encoded HMAC-SHA256 hash of the 
payload."[1]


Till now I interpreted "payload" as the request body... so as the json 
string I can read simply using `request.body.read()`.
Could it even be interpreted as the whole send content including the the 
request header?


How could it be get or reconstructed from the request storage object?

Thanks a lot
    Manuele

[1] 
https://github.com/woocommerce/woocommerce-rest-api-docs/blob/master/source/includes/wp-api-v1/_webhooks.md


--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Manuele Pesenti]

Il 15/03/18 20:21, Anthony ha scritto:
> Hard to say what's wrong. Where did you get that signature and request
> body? You might be better off getting help from folks who know
> WooCommerce, as this issue does not appear to be web2py specific.
>
Yes for sure! Thanks a lot.

    M.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Anthony]

Hard to say what's wrong. Where did you get that signature and request 
body? You might be better off getting help from folks who know WooCommerce, 
as this issue does not appear to be web2py specific.

Anthony

On Thursday, March 15, 2018 at 1:09:31 PM UTC-4, Manuele wrote:
>
> On 01/03/2018 00:50, Anthony wrote: 
>
> > I think you're on the right track. If you need the original request 
> > body to verify the signature, request.body.read() should do it. Does 
> > that not work? 
> Hi Anthony, 
> actually no :( it doesn't work, here[1] I tried to extrapolate the very 
> essential code in order to test a use case. 
> To obtain the data I used such a web service like "requestb.in" as a 
> webhook url and saved the woocommerce product. 
>
> running the test the result is: 
>
> $ python -m test 
> E 
> == 
> ERROR: test_authenticate (__main__.TestWoo) 
> -- 
> Traceback (most recent call last): 
>File "[...]/woohook/test.py", line 16, in test_authenticate 
>  res = WooHook.check(body, signature, secret) 
>File "woohook.py", line 23, in check 
>  raise AuthenticationError(result) 
> AuthenticationError: WNeVWlUGBX6pSusRngDavUWlck6eAhVpTRoTYBbJdYM= 
>
> -- 
> Ran 1 test in 0.000s 
>
> FAILED (errors=1) 
>
> Any idea or suggestion will be appreciated! 
>
> Cheers 
>  Manuele 
>
> [1] https://gist.github.com/manuelep/b6f6c00b4dec5234ab97229199bb223d 
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Manuele Pesenti]

On 01/03/2018 00:50, Anthony wrote:

I think you're on the right track. If you need the original request 
body to verify the signature, request.body.read() should do it. Does 
that not work?

Hi Anthony,
actually no :( it doesn't work, here[1] I tried to extrapolate the very 
essential code in order to test a use case.
To obtain the data I used such a web service like "requestb.in" as a 
webhook url and saved the woocommerce product.


running the test the result is:

$ python -m test
E
==
ERROR: test_authenticate (__main__.TestWoo)
--
Traceback (most recent call last):
  File "[...]/woohook/test.py", line 16, in test_authenticate
    res = WooHook.check(body, signature, secret)
  File "woohook.py", line 23, in check
    raise AuthenticationError(result)
AuthenticationError: WNeVWlUGBX6pSusRngDavUWlck6eAhVpTRoTYBbJdYM=

--
Ran 1 test in 0.000s

FAILED (errors=1)

Any idea or suggestion will be appreciated!

Cheers
    Manuele

[1] https://gist.github.com/manuelep/b6f6c00b4dec5234ab97229199bb223d

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Anthony]

>
> On Wednesday, February 28, 2018 at 3:50:16 PM UTC-8, Anthony wrote:
>>
>> I think you're on the right track. If you need the original request body 
>> to verify the signature, request.body.read() should do it. Does that not 
>> work?
>>
>> Also, I don't think you need the decorator and nested function. Just 
>> write a simple function and call it at the beginning of the handler:
>>
>> def verify_signature():
>> secret = ''
>> body = request.body.read()
>> dig = hmac.new(secret.encode(), msg=body.encode(), digestmod=hashlib.
>> sha256).digest()
>> if request.env.http_x_wc_webhook_signature != base64.b64encode(dig).
>> decode():
>> raise HTTP(403)  
>>
>> @service.json
>> def listenToHooks():
>> verify_signature()
>> # do stuff
>>
>> Anthony
>>
>>
>
> Don't you want a dummy parameter on verify_signature(), to prevent it 
> being a URL-visible function?
>

Instead of a dummy parameter, you can start the name with a double 
underscore. But if verify_signature is needed in multiple places, I would 
move it to a model or module. If only needed in this one place, I probably 
wouldn't make a separate function and simply add those few lines directly 
to listenToHooks.

Anthony

>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Manuele Pesenti]

On 01/03/2018 03:25, Dave S wrote:


Don't you want a dummy parameter on verify_signature(), to prevent it 
being a URL-visible function? 
well actually it can even stay inside the models not a controller... in 
that case if it's not decorate as a service it cannot be visible. right?


       M.

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Dave S]

On Wednesday, February 28, 2018 at 3:50:16 PM UTC-8, Anthony wrote:
>
> I think you're on the right track. If you need the original request body 
> to verify the signature, request.body.read() should do it. Does that not 
> work?
>
> Also, I don't think you need the decorator and nested function. Just write 
> a simple function and call it at the beginning of the handler:
>
> def verify_signature():
> secret = ''
> body = request.body.read()
> dig = hmac.new(secret.encode(), msg=body.encode(), digestmod=hashlib.
> sha256).digest()
> if request.env.http_x_wc_webhook_signature != base64.b64encode(dig).
> decode():
> raise HTTP(403)  
>
> @service.json
> def listenToHooks():
> verify_signature()
> # do stuff
>
> Anthony
>
>

Don't you want a dummy parameter on verify_signature(), to prevent it being 
a URL-visible function? 

Like

def verify_signature(isinternal=True):

/dps

On Wednesday, February 28, 2018 at 4:41:01 PM UTC-5, Manuele wrote:
>>
>> Il 28/02/18 17:10, Anthony ha scritto:
>>
>> You could parse the request body yourself, but web2py will do it 
>> automatically and put the variables in request.post_vars (if JSON is 
>> posted, its keys will become the keys of request.post_vars).
>>
>> I'm not sure what you mean by "check the request.post_vars". If there are 
>> variables you are expecting in the posted body, they will be in 
>> request.post_vars. Looking at the example log here 
>> , it looks like you 
>> might expect request.post_vars.action and request.post_vars.arg. The 
>> "action" value will also be in one of the request headers. Not sure if you 
>> need or care about "arg".
>>
>> A little step backward... I want to verify the call origin and 
>> authenticity.
>>
>> Each time a call is performed by a webhook it is signed with a signature 
>> in the header obtained by encoding the body and I want to verify this 
>> signature in order to be sure from where the call comes from. I've found 
>> something similar for other languages and environments but not for python 
>> and web2py, for example this one 
>> https://stackoverflow.com/q/42182387/1039510. The concept is quite easy 
>> but there are some details I miss.
>>
>> Hereunder I tryied to rewrite the example code[*] in a more clear way (I 
>> hope).
>>
>> Does anybody tryied it before or somebody with some woocommerce webhook 
>> experience can point me to what's wrong in it?
>>
>>
>> def compute(body):
>> secret = ''
>> dig = hmac.new(secret.encode(),
>> msg = body.encode(),
>> digestmod = hashlib.sha256
>> ).digest()
>> computed = base64.b64encode(dig).decode()
>> return computed
>>
>> def hookCheck(func):
>> def wrapper(*args, **kw):
>> signature = request.env.http_x_wc_webhook_signature
>> body = request.body.read() # ??
>> computed = compute(body)
>> if signature==computed:
>> return func(*args, **kw)
>> raise HTTP(403)
>> return wrapper
>>
>> @service.json
>> def listenToHooks():
>> @hookCheck
>> def _main_():
>> # do stuff
>> return {}
>> return _main_()
>>
>>
>> Best regards
>>
>> Manuele
>>
>>
>> [*] https://gist.github.com/manuelep/4b64492ceeaa07f095302f94956ea554
>>
>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Anthony]

I think you're on the right track. If you need the original request body to 
verify the signature, request.body.read() should do it. Does that not work?

Also, I don't think you need the decorator and nested function. Just write 
a simple function and call it at the beginning of the handler:

def verify_signature():
secret = ''
body = request.body.read()
dig = hmac.new(secret.encode(), msg=body.encode(), digestmod=hashlib.
sha256).digest()
if request.env.http_x_wc_webhook_signature != base64.b64encode(dig).
decode():
raise HTTP(403)  

@service.json
def listenToHooks():
verify_signature()
# do stuff

Anthony

On Wednesday, February 28, 2018 at 4:41:01 PM UTC-5, Manuele wrote:
>
> Il 28/02/18 17:10, Anthony ha scritto:
>
> You could parse the request body yourself, but web2py will do it 
> automatically and put the variables in request.post_vars (if JSON is 
> posted, its keys will become the keys of request.post_vars).
>
> I'm not sure what you mean by "check the request.post_vars". If there are 
> variables you are expecting in the posted body, they will be in 
> request.post_vars. Looking at the example log here 
> , it looks like you 
> might expect request.post_vars.action and request.post_vars.arg. The 
> "action" value will also be in one of the request headers. Not sure if you 
> need or care about "arg".
>
> A little step backward... I want to verify the call origin and 
> authenticity.
>
> Each time a call is performed by a webhook it is signed with a signature 
> in the header obtained by encoding the body and I want to verify this 
> signature in order to be sure from where the call comes from. I've found 
> something similar for other languages and environments but not for python 
> and web2py, for example this one 
> https://stackoverflow.com/q/42182387/1039510. The concept is quite easy 
> but there are some details I miss.
>
> Hereunder I tryied to rewrite the example code[*] in a more clear way (I 
> hope).
>
> Does anybody tryied it before or somebody with some woocommerce webhook 
> experience can point me to what's wrong in it?
>
>
> def compute(body):
> secret = ''
> dig = hmac.new(secret.encode(),
> msg = body.encode(),
> digestmod = hashlib.sha256
> ).digest()
> computed = base64.b64encode(dig).decode()
> return computed
>
> def hookCheck(func):
> def wrapper(*args, **kw):
> signature = request.env.http_x_wc_webhook_signature
> body = request.body.read() # ??
> computed = compute(body)
> if signature==computed:
> return func(*args, **kw)
> raise HTTP(403)
> return wrapper
>
> @service.json
> def listenToHooks():
> @hookCheck
> def _main_():
> # do stuff
> return {}
> return _main_()
>
>
> Best regards
>
> Manuele
>
>
> [*] https://gist.github.com/manuelep/4b64492ceeaa07f095302f94956ea554
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Manuele Pesenti]

Il 28/02/18 17:10, Anthony ha scritto:
> You could parse the request body yourself, but web2py will do it
> automatically and put the variables in request.post_vars (if JSON is
> posted, its keys will become the keys of request.post_vars).
>
> I'm not sure what you mean by "check the request.post_vars". If there
> are variables you are expecting in the posted body, they will be in
> request.post_vars. Looking at the example log here
> , it looks like you
> might expect request.post_vars.action and request.post_vars.arg. The
> "action" value will also be in one of the request headers. Not sure if
> you need or care about "arg".

A little step backward... I want to verify the call origin and authenticity.

Each time a call is performed by a webhook it is signed with a signature
in the header obtained by encoding the body and I want to verify this
signature in order to be sure from where the call comes from. I've found
something similar for other languages and environments but not for
python and web2py, for example this one
https://stackoverflow.com/q/42182387/1039510. The concept is quite easy
but there are some details I miss.

Hereunder I tryied to rewrite the example code[*] in a more clear way (I
hope).

Does anybody tryied it before or somebody with some woocommerce webhook
experiencecan point me to what's wrong in it?


def compute(body):
    secret = ''
    dig = hmac.new(secret.encode(),
    msg = body.encode(),
    digestmod = hashlib.sha256
    ).digest()
    computed = base64.b64encode(dig).decode()
    return computed   

def hookCheck(func):
    def wrapper(*args, **kw):
    signature = request.env.http_x_wc_webhook_signature
    body = request.body.read() # ??
    computed = compute(body)
    if signature==computed:
    return func(*args, **kw)
    raise HTTP(403)
    return wrapper

@service.json
def listenToHooks():
    @hookCheck
    def _main_():
    # do stuff
    return {}
    return _main_()


Best regards

    Manuele


[*] https://gist.github.com/manuelep/4b64492ceeaa07f095302f94956ea554

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Anthony]

>
> > It looks like WooCommerce makes a POST request, so the values posted 
> > should end up in request.post_vars. 
>
> maybe I don't understand... what I think I need to check is the raw body 
> of the request... isn't it? How should I check the request.post_vars? 
> Isn't it a dictionary or a Storage object?
>

You could parse the request body yourself, but web2py will do it 
automatically and put the variables in request.post_vars (if JSON is 
posted, its keys will become the keys of request.post_vars).

I'm not sure what you mean by "check the request.post_vars". If there are 
variables you are expecting in the posted body, they will be in 
request.post_vars. Looking at the example log here 
<https://docs.woocommerce.com/document/webhooks/>, it looks like you might 
expect request.post_vars.action and request.post_vars.arg. The "action" 
value will also be in one of the request headers. Not sure if you need or 
care about "arg".
 

> > and I don't think there is much gained by putting it inside 
>
> ok... but why not?
>

It's just another level of indirection for no benefit. Actually, if the 
@auth.requires check fails, it will end up redirecting to the web2py Auth 
"not_authorized" HTML page (with a 200 response). A better response would 
simply be to raise an HTTP(403) exception.

Anthony

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Manuele Pesenti]

Thank Antony,


On 28/02/2018 15:50, Anthony wrote:
The webhook request headers will be in 
request.env.http_x_wc_webhook_[specific header] (e.g., 
request.env.http_x_wc_webhook_signature).


ok got it!



It looks like WooCommerce makes a POST request, so the values posted 
should end up in request.post_vars.


maybe I don't understand... what I think I need to check is the raw body 
of the request... isn't it? How should I check the request.post_vars? 
Isn't it a dictionary or a Storage object?




As an aside, you can probably simplify your code to just be a function 
rather than a class,


ok I agree


and I don't think there is much gained by putting it inside


ok... but why not?

an @auth.requires decorator -- just run the relevant code directly in 
the listenToHooks function.


Anthony


Cheers
    Manuele

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: How to verify woocommerce webhook signature in web2py auth decorator

[Anthony]

The webhook request headers will be in 
request.env.http_x_wc_webhook_[specific header] (e.g., 
request.env.http_x_wc_webhook_signature).

It looks like WooCommerce makes a POST request, so the values posted should 
end up in request.post_vars.

As an aside, you can probably simplify your code to just be a function 
rather than a class, and I don't think there is much gained by putting it 
inside an @auth.requires decorator -- just run the relevant code directly 
in the listenToHooks function.

Anthony

On Wednesday, February 28, 2018 at 4:51:38 AM UTC-5, Manuele wrote:
>
> Hi! 
>
> I need to develop a web service that listen to webhook calls from a 
> woocommerce site, I thought to write a little check class to pass to 
> auth.requires decorator like the following: 
>
>
> class HookCheck(object): 
>  secret = '' 
>
>  def __init__(self): 
>  super(HookCheck, self).__init__() 
>  self() 
>
>  def compute(self, body): 
>  dig = hmac.new(self.secret.encode(), 
>  msg = body.encode(), # your_bytes_string 
>  digestmod = hashlib.sha256 
>  ).digest() 
>  computed = base64.b64encode(dig).decode() 
>  return computed 
>
>  def __call__(self): 
>  signature = ''# <- how can I get from 
> the request headers? 
>  body = request.body.read() # <- Is it the right string to encode? 
>  computed = self.compute(body) 
>  print signature, computed, signature==computed 
>  return signature==computed 
>
>
> @service.json 
> @auth.requires(HookCheck(), requires_login=False) 
> def listenToHooks(): 
>  return {} 
>
>
> can somebody help me to get the correct values of the hook signature and 
> the raw call body to check? 
>
> As far as I know the signature contained in the header field 
> "X-Wc-Webhook-Signature" and I'm not sure if the string from which get 
> the hmac hash is just what I get from the read method of the 
> request.body object. 
>
> thank a lot 
>
>  Manuele 
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] How to verify woocommerce webhook signature in web2py auth decorator

[Manuele Pesenti]

Hi!

I need to develop a web service that listen to webhook calls from a 
woocommerce site, I thought to write a little check class to pass to 
auth.requires decorator like the following:



class HookCheck(object):
    secret = ''

    def __init__(self):
    super(HookCheck, self).__init__()
    self()

    def compute(self, body):
    dig = hmac.new(self.secret.encode(),
    msg = body.encode(), # your_bytes_string
    digestmod = hashlib.sha256
    ).digest()
    computed = base64.b64encode(dig).decode()
    return computed

    def __call__(self):
    signature = ''    # <- how can I get from 
the request headers?

    body = request.body.read() # <- Is it the right string to encode?
    computed = self.compute(body)
    print signature, computed, signature==computed
    return signature==computed


@service.json
@auth.requires(HookCheck(), requires_login=False)
def listenToHooks():
    return {}


can somebody help me to get the correct values of the hook signature and 
the raw call body to check?


As far as I know the signature contained in the header field 
"X-Wc-Webhook-Signature" and I'm not sure if the string from which get 
the hmac hash is just what I get from the read method of the 
request.body object.


thank a lot

    Manuele

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] auth actions_disabled in 2.16.1

[Johann Spies]

It seems that the menu option is hard coded in the default layout.html.

Regards
Johann

On 30 January 2018 at 12:24, Johann Spies  wrote:
> On 2 January 2018 at 20:37, 黄祥  wrote:
>> web2py latest version auth actions_disabled doesn't work anymore
>> models/db.py
>> #auth.settings.actions_disabled =
>> configuration.take('auth.actions_disabled')
>> auth.settings.actions_disabled = ['profile', 'register']
>>
>> result
>> the url to sign up is exist, when clicked the sign up it return 404 NOT
>> FOUND
>>
>> is there any way to make it work again like in previous version?
>
> I can confirm this behaviour.
>
> I would prefer the option to register not to appear under "Login"  in
> the navbar.
>
> "Sign up"  appears and when clicked throws a HTTP 404 error.
>
> I could not see what in the code of gluon/tools.py is causing this.
>
> It seems that this code does not get involved in the process (line
> 2009 of tools.py):
>
> if 'register' not in self.settings.actions_disabled:
> items.append({'name': T('Sign Up'), 'href': href('register'),
>   'icon': 'icon-user'})
>
>
> Regards
> Johann
> --
> Because experiencing your loyal love is better than life itself,
> my lips will praise you.  (Psalm 63:3)



-- 
Because experiencing your loyal love is better than life itself,
my lips will praise you.  (Psalm 63:3)

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] auth actions_disabled in 2.16.1

[Johann Spies]

On 2 January 2018 at 20:37, 黄祥  wrote:
> web2py latest version auth actions_disabled doesn't work anymore
> models/db.py
> #auth.settings.actions_disabled =
> configuration.take('auth.actions_disabled')
> auth.settings.actions_disabled = ['profile', 'register']
>
> result
> the url to sign up is exist, when clicked the sign up it return 404 NOT
> FOUND
>
> is there any way to make it work again like in previous version?

I can confirm this behaviour.

I would prefer the option to register not to appear under "Login"  in
the navbar.

"Sign up"  appears and when clicked throws a HTTP 404 error.

I could not see what in the code of gluon/tools.py is causing this.

It seems that this code does not get involved in the process (line
2009 of tools.py):

if 'register' not in self.settings.actions_disabled:
items.append({'name': T('Sign Up'), 'href': href('register'),
  'icon': 'icon-user'})


Regards
Johann
-- 
Because experiencing your loyal love is better than life itself,
my lips will praise you.  (Psalm 63:3)

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth actions_disabled in 2.16.1

[黄祥]

web2py latest version auth actions_disabled doesn't work anymore
*models/db.py*
#auth.settings.actions_disabled = 
configuration.take('auth.actions_disabled')
auth.settings.actions_disabled = ['profile', 'register']

*result*
the url to sign up is exist, when clicked the sign up it return 404 NOT 
FOUND

is there any way to make it work again like in previous version?

thanks and best regards,
stifan

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: [web2py/web2py] Auth add_membership and del_membership mistakenly alter the logged-in user's session (#1638)

[Richard Vézina]

That what I thought too... filesystem is slow, database would requires a
new auth table or at least a new field (system reserved)...

What's about a persistent auth parameters?? We could make it persitent from
request to request in cache as long as cache (RAM) can be used by web2py
internal code??

Richard


On Tue, Jun 6, 2017 at 3:49 PM, Anthony  wrote:

> When you mention "persist the list of flagged users", it mean that there
>> is no such thing as persistence in web2py and that at each request web2py
>> is completely "ignorant" about any given state it may find itself in??
>>
>
> Well, each request is executed independently, though there are means of
> persisting state, such as the cache, a database, or the file system.
>
>
>> I guess using session as a persistence mean for make this possible would
>> involve security issue as we would using user centric persistence option
>> for storing general information which is sensitive as it provide a list of
>> ID and possibly other information to make this working...
>>
>
> It's not a security issue, as users are not able to inspect the data in
> their sessions (even cookie-based sessions are encrypted), but it wouldn't
> make sense to store a list that needs to be globally accessible across
> users inside the session of a single user. Sessions are for storing data
> specific to a particular user (actually, a particular session of a
> particular user).
>
>
>>
>> On Tue, Jun 6, 2017 at 12:12 PM, abastardi 
>> wrote:
>>
>>> How could we update someone else auth.user_groups?? Could we issue a one
>>> time reinitialization command by setting a flag on/off when use
>>> add_/del_membership?? We can then force a give user to reinit the
>>> auth.user_groups list on his next request...
>>>
>>> That's one approach, but then we need a way to persist the list of
>>> flagged users (preferably that easily scales horizontally), and there would
>>> be some cost on every request (at least every request that needs to check
>>> authorization) to check the list.
>>>
>>> Another option would be to keep a record of active session identifiers
>>> for each user, and whenever a role change occurs, update all of that user's
>>> active sessions (note, this will not work with cookie-based sessions --
>>> only sessions stored on the server).
>>>
>>> —
>>> You are receiving this because you were mentioned.
>>> Reply to this email directly, view it on GitHub
>>> ,
>>> or mute the thread
>>> 
>>> .
>>>
>>
>> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: [web2py/web2py] Auth add_membership and del_membership mistakenly alter the logged-in user's session (#1638)

[Anthony]

>
> When you mention "persist the list of flagged users", it mean that there 
> is no such thing as persistence in web2py and that at each request web2py 
> is completely "ignorant" about any given state it may find itself in??
>

Well, each request is executed independently, though there are means of 
persisting state, such as the cache, a database, or the file system.
 

> I guess using session as a persistence mean for make this possible would 
> involve security issue as we would using user centric persistence option 
> for storing general information which is sensitive as it provide a list of 
> ID and possibly other information to make this working...
>

It's not a security issue, as users are not able to inspect the data in 
their sessions (even cookie-based sessions are encrypted), but it wouldn't 
make sense to store a list that needs to be globally accessible across 
users inside the session of a single user. Sessions are for storing data 
specific to a particular user (actually, a particular session of a 
particular user).
 

>
> On Tue, Jun 6, 2017 at 12:12 PM, abastardi  
> wrote:
>
>> How could we update someone else auth.user_groups?? Could we issue a one 
>> time reinitialization command by setting a flag on/off when use 
>> add_/del_membership?? We can then force a give user to reinit the 
>> auth.user_groups list on his next request...
>>
>> That's one approach, but then we need a way to persist the list of 
>> flagged users (preferably that easily scales horizontally), and there would 
>> be some cost on every request (at least every request that needs to check 
>> authorization) to check the list.
>>
>> Another option would be to keep a record of active session identifiers 
>> for each user, and whenever a role change occurs, update all of that user's 
>> active sessions (note, this will not work with cookie-based sessions -- 
>> only sessions stored on the server).
>>
>> —
>> You are receiving this because you were mentioned.
>> Reply to this email directly, view it on GitHub 
>> , 
>> or mute the thread 
>> 
>> .
>>
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: [web2py/web2py] Auth add_membership and del_membership mistakenly alter the logged-in user's session (#1638)

[Richard Vézina]

We could continue this conversation here...

When you mention "persist the list of flagged users", it mean that there is
no such thing as persistence in web2py and that at each request web2py is
completely "ignorant" about any given state it may find itself in??

I guess using session as a persistence mean for make this possible would
involve security issue as we would using user centric persistence option
for storing general information which is sensitive as it provide a list of
ID and possibly other information to make this working...

We could use encryption and rely over web2py instance picked password to
hide this information to a potential attacker? Do we already have any way
to encrypt something into the user session or are we doing such thing at
all??

At the same time a simple list of user ID which someone can already guess
the identifier is not that much sensitive.

It may be just not the best place to store such information...

Richard


On Tue, Jun 6, 2017 at 12:12 PM, abastardi  wrote:

> How could we update someone else auth.user_groups?? Could we issue a one
> time reinitialization command by setting a flag on/off when use
> add_/del_membership?? We can then force a give user to reinit the
> auth.user_groups list on his next request...
>
> That's one approach, but then we need a way to persist the list of flagged
> users (preferably that easily scales horizontally), and there would be some
> cost on every request (at least every request that needs to check
> authorization) to check the list.
>
> Another option would be to keep a record of active session identifiers for
> each user, and whenever a role change occurs, update all of that user's
> active sessions (note, this will not work with cookie-based sessions --
> only sessions stored on the server).
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> , or mute
> the thread
> 
> .
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth change password confirmation

[Alfonso Serra]

I cant check if the auth form to change a password is accepted. I have been 
debugging a post and post_vars and form.vars are empty. I dont know whats 
going, the password is changed succesfully but i cant display a message 
since i dont know how to check the form's state.

I have the profile and change password forms in the same view so the 
controller i have is something like this:

def user():
if request.args[0] == "profile":
auth.settings.profile_next = "/user"
auth.settings.change_password_next = "/user"
form = auth.profile()
form_pass = auth.change_password()
if admin:
create_form = SQLFORM(db.auth_user).process(formname="create") #to 
create new users

Many thanks.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth -- members of both groups

[Dave S]

I'm trying to give members of 2 different groups access to functionX.  In 
the spirit of 



I tried 
 @auth.requires(auth.has_membership(role=green) or auth.has_membership(role=
blue))
 deffunctionX():

but this didn't allow either group access.

I also tried

@auth.requires_membership('green')
@auth.requires_membership('blue')
dev functionsX():

and again it didn't allow either group access.

What's the correct way of handling the joint authorization?

Dave
/dps

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth on GAE 'unable to send email'

[David Manns]

Running 2.14.6 in production on GAE. Notice can't send the verification's 
so can't register or recover passwords. (have another problem with lost 
passwords which reported separately).

Using all the standard setup to initialize auth.settings.mailer in db.py 
AND that same auth.settings.mailer is used elsewhere to send out regular 
emails, which works fine!

in db.py:

mail = auth.settings.mailer
if request.env.web2py_runtime_gae:# if running on Google App 
Engine
mail.settings.server = 'gae'
mail.settings.login = None  # your credentials or None
else:# development environment with Web2py alone
mail.settings.server = myconf.get('smtp.server')
mail.settings.login = myconf.get('smtp.login')
mail.settings.sender = myconf.get('smtp.sender')
mail.settings.tls = myconf.get('smtp.tls') or False
mail.settings.ssl = myconf.get('smtp.ssl') or False

# -
# configure auth policy
# -
auth.settings.create_user_groups = False
auth.settings.mailer = mail# for user email verification
auth.settings.registration_requires_verification = True
auth.messages.verify_email = u'Click on the link 
http://'+request.env.http_host+URL('default','user',args=['verify_email'])+'/%(key)s
 
to verify your email'
auth.settings.reset_password_requires_verification = True
auth.messages.reset_password = u'Click on the link 
http://'+request.env.http_host+URL('default','user',args=['reset_password'])+'/%(key)s
 
to reset your password'
#auth.settings.registration_requires_verification = True
auth.settings.registration_requires_approval = False
#auth.settings.reset_password_requires_verification = True
,,,

in appconfig.ini:

[smtp]
server = smtp.gmail.com:587
sender = "Oxford & Cambridge Society" 
login  = :
tls= true
ssl= false

As an aside, I originally had ssl =true but this caused unreliable message 
delivery in the web2py development environment. Adding the unicode 
indicator to the auth.message. settings made no difference.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth groups and permission

[Biplov Bhandari]

Hi,

I want to have a fixed user groups (eg. editor, publishers and admin). I 
don't want the default one group to one member. How do I do that?

Best,
Biplov

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth event logging for password reset

[Ivan]

After looking at the event logging behaviour for a password reset request, 
I think that:

1. the default message for the request should be 'User %(id)s Password 
reset *requested*' (because the psw is not yet changed)

2. it seems that the log message when the user change his password (by the 
emailed url) is missing: it should be 'User %(id)s Password changed'

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth, db access via current in module

[lucas]

hello one and all,

i read the article in the book: 
http://web2py.com/books/default/chapter/29/4#Sharing-the-global-scope-with-modules-using-the-current-object

and so i added to my db.py model file after the assignment of db and auth:

from gluon import current
current.db, current.auth = db, auth

and i created a new module called mcp0.py under the modules section and 
added say the function:

def chkSession(subscribing=False):
auth, db, session, request, response = current.auth, current.db, 
current.session, current.request, current.response
tCase, tSheet = db.cases, db.worksheets
...
return etc

being sure that "current" is called in the function and not globally to 
make sure the threads are kept straight.

now this is where it gets strange, when i generate a link like 
https://domain.com/app/controller/function/30 and click on it, the 
application returns an error because the argument of 30 changes to None.  
now if i type the 30 back into the URL, it will return the page ok.  but 
clicking on the link, which is a correct link, somehow the argument list 
gets lost between the click and the function maintaining that argument 
list.  and again, if i manually type it, the 30, the page loads fine.

weird and i don't understand it.  ok, let me know, lucas

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] auth on cas and consume data from some apps

[Massimiliano]

Another timeline that clarify the situation.

with @auth.requires_login()

1. User login on app A
2. User follow the link on app B/function_decorated
3. App A try to get data from app B all is working well

Thank you

On Tue, May 17, 2016 at 11:34 AM, Massimiliano  wrote:

> Hello,
>
> I've a system composed of some apps sharing auth on *cas*.
>
> I would like that app A could get json data from app B but it seems not
> possibile if the user doesn't login in each app before.
>
> Jus to to clarify.
>
> Timeline.
>
> 1. User login on app A
> 2. App A try to get data from app B but He got "Insufficient privileges"
> or nothing. It depends from the decorator used.
>
> but if
>
> 1. User login on app A
> 2. User login on app B
> 3. App A try to get data from app B all is working well
>
>
> I tried to decorate le app B controller function with
> @auth.requires_signature()
> setting properly user_signature=True in the URL()
> and I get "Insufficient privileges"
>
> and with
> @auth.requires_login()
> and I get nothing
>
> Is possibile to get what I want?
>
> Thank you
>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Massimiliano

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth on cas and consume data from some apps

[Massimiliano]

Hello,

I've a system composed of some apps sharing auth on *cas*.

I would like that app A could get json data from app B but it seems not 
possibile if the user doesn't login in each app before.

Jus to to clarify.

Timeline.

1. User login on app A
2. App A try to get data from app B but He got "Insufficient privileges" or 
nothing. It depends from the decorator used. 

but if

1. User login on app A
2. User login on app B
3. App A try to get data from app B all is working well


I tried to decorate le app B controller function with
@auth.requires_signature() 
setting properly user_signature=True in the URL()
and I get "Insufficient privileges"

and with 
@auth.requires_login()
and I get nothing

Is possibile to get what I want?

Thank you

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth with service

[Mirco Barone]

I have to implement an authentication through one of my soap service, you 
have any advice? thank you

-- 

IN. VA. S.p.A.
Loc. L'Île-Blonde, 5
11020 - Brissogne (AO) - Italy
Tel. 0165 367711 - Fax 0165 262336
e-mail: i...@invallee.it 


Capitale Sociale Euro 5.100.000,00 i.v.
Codice Fiscale, Partita IVA e Registro Imprese di Aosta n. 00521690073
Società soggetta a direzione e coordinamento da parte della Regione 
Autonoma Valle d'Aosta

Il presente messaggio ha natura non personale ed eventuali Vostre risposte 
potranno essere conosciute dall'organizzazione di appartenenza del mittente 
(Provvedimento del Garante n. 13 del 1° marzo 2007 punto 5.2 b).

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth User split by tables

[rajmathur6431]

Hello web2py community. I am a new user and I have to say, web2py saves the 
day by saving so much time over a full stack framework which requires so 
much work. Anyway, going to ask a question tothe community. How to custom 
create auth_user so instead of adding extra fields to the auth_user we can 
have multiple tables for the profile with various attributes. I am creating 
an application for gym membership and I need to have the user register 
based on their job, current address, prior fitness routines, current 
fitness routine, activities they are interested...etc. Put all in one 
tables with various fields seems make a table disproportionately long. 
Would be nice to split them to different tables and user can pick and 
choose which tables they like to fill up or they don't. 

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth extra fields

[greenpoise]

if auth.is_logged_in():
this_store=auth_user.store
else:
this_store=None


Is there a way to extract the extra fields value in the controller like the 
code above?

Thanks

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth new user registration even after login

[Kalpish Singhal]

I want my admin user group can only register new members and their password 
should be send to respective user mail id using auth_user table, how to do 
this when auth is logged in because no signup option is their after login 
in the menu?

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth tables not visible in appadmin

[Red Beard]

Hi,

My problem is that the auth tables do not appear in appadmin, though the 
system allows me to register users, and it seems to remember them.



I am following the example in the book (chapter 3, overview: 
http://www.web2py.com/books/default/chapter/29/03/overview)

I have left the model db.py:

from gluon.tools import Auth, Service, PluginManager

auth = Auth(db)
service = Service()
plugins = PluginManager()

## create all tables needed by auth if not custom tables
auth.define_tables(username=False, signature=False)


In front of some functions, the controller, default.py has:

@auth.requires_login()


And this seems to work, asking someone not logged in to log in.

Any ideas please? At the moment if I try and reference any of these auth tables 
the system throws up errors.


Many thanks

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth Roles

[dt0901]

Hi,

Excellent product web2py but still trying to get my head around some of the 
structure
and some burning questions from the documentation.

Question 2:
Hi at the moment every time a user registers, a new 'role' is created for 
the user.
Basically I want three roles:
USER
STAFF
ADMIN

Admin goes without saying and can be manually changed in the DB.
When a user registers online, how do I get them to be in the group role 
'USER'
Afterwards I will have the admin with the ability to add STAFF group to a 
particular USER.

Do I have to define the roles in the DB after by code in db.py once the 
tables are created, what is the correct way?
Also how do I get any user who registers to be automatically in group 
'USER'?
Cause at the moment a new role is created everytime.


Thanks to anyone answering my questions.

Den

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Auth Roles

[Michele Comitini]

I think what you need is in the book:
http://web2py.com/books/default/chapter/29/09/access-control#Authorization

2015-06-14 23:48 GMT+02:00 dt0...@gmail.com:

 Hi,

 Excellent product web2py but still trying to get my head around some of
 the structure
 and some burning questions from the documentation.

 Question 2:
 Hi at the moment every time a user registers, a new 'role' is created for
 the user.
 Basically I want three roles:
 USER
 STAFF
 ADMIN

 Admin goes without saying and can be manually changed in the DB.
 When a user registers online, how do I get them to be in the group role
 'USER'
 Afterwards I will have the admin with the ability to add STAFF group to a
 particular USER.

 Do I have to define the roles in the DB after by code in db.py once the
 tables are created, what is the correct way?
 Also how do I get any user who registers to be automatically in group
 'USER'?
 Cause at the moment a new role is created everytime.


 Thanks to anyone answering my questions.

 Den

  --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.


-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth callback settings for reset_password and request_reset_password

[James McGlynn]

Hello,

I have a few questions about using callbacks with reset_password and 
request_reset_password. I'm using web2py 2.9.5, but I checked the 
corresponding code from the master branch and github in gluon/tools.py and 
it seems to be the same. 

Why does the callback auth.settings.reset_password_onaccept get called when 
auth.request_reset_password() is accepted, instead of when 
auth.reset_password() is accepted (request_reset vs reset)?

Why does the function reset_password in gluon/tools.py not have a callback 
at all( that is, why doesn't it have the line callback(onaccept, form))? 
Would it be dangerous to do so?

I wanted a callback after the auth.reset_password() form was submitted so I 
changed the reset_password function to include these lines:

def reset_password(
.
.

if next is DEFAULT:
next = self.get_vars_next() or self.settings.reset_password_next



## Added by me (taken from the request_reset_function)
if onvalidation is DEFAULT:
onvalidation = self.settings.reset_password_onvalidation
if onaccept is DEFAULT:
onaccept = self.settings.reset_password_onaccept



..
..

if self.settings.login_after_password_change:
self.login_user(user)


##
## Added by me (also taken from the request_reset_password 
function)
callback(onaccept, form)

##


redirect(next, client_side=self.settings.client_side)
return form


Is this ok to do? It seems to do what I want, which was to remove a role 
from a user after password reset.

Thank you. 

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] auth define_tables username=False not working on GAE

[Sébastien Loix]

Hello,

I can't get the username=False inside the auth.define_tables to work while 
developing on GAE locally.

I need to add a custom field username in the auth table that I do like 
this:

auth.settings.extra_fields['auth_user'] = [Field('username', length=128, 
default=, unique=True)]

then below I have:
auth.define_tables(username=False, signature=False)

When I try to login (going to /user/login)

I have the form with 
username:
password:

The only way I get the login with the email / password is if I remove the 
custom extra_field 'username'.

Any idea why this is happening?

Thank you for the help,
Sebastian

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth Users Session

[Oliver]

Hi All,

I really enjoy discovering the beauty of web2py.  Just got a newbie 
question :)

If I create multiple apps and use one db or sharing one db to all apps, can 
the login session be shared between apps?  Thanks.

For example from the default, we have the admin(which is lock), welcome and 
example apps.  Can welcome and example apps share the same auth_users 
session to members only pages?  I know the db can be shared but not sure if 
the session can be shared thru different apps.

Thanks all.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Auth related emails, via web2py scheduler

[Kiran Subbaraman]

Hello,
I took a look at this chapter: 
http://web2py.com/books/default/chapter/29/08/emails-and-sms#Sending-messages-using-a-background-task,
 
and got this to work - Am able to send emails via a background task.
I was wondering how I could make the Auth related emails also to be sent 
via this background process. Right now, all the Auth emails - 
verification/password-reset, etc - are sent synchronously from within 
Auth's functions.

I was thinking of a possibility, but somehow it seemed too contrived

   - For example, I define auth.settings.mailer=MyDummyMail()
   - MyDummyMail() only inserts the to/subject/body of the email into a 
   database, so that the background task sends it. It doesn't actually send 
   emails. 
   - The issue with this is that I need access to the auth_user.id value 
   before sending emails via the background task - because I construct the 
   subject/body of the email with some of the auth_user.extra_fields. This 
   user info is not passed by the Auth class to the mail.send anyway.
   - Therefore, this MyDummyMail() method won't work for me

The other possibility is to switch off all emailing from Auth classes, by 
using another DummyMail() class which actually does nothing, and use the 
onaccept callback to script my email, and its background sending task. But 
then, not all the Auth methods have a onaccept method. For example, I'll 
need one for reset password.

Any suggestions on how I can go about this? 

Thanks,

Kiran

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Auth with multiple E-mail addresses

[Damien]

Thank you for your answers. I think at this point my best option is to 
rewrite a class inheriting from Auth. If it works well I can publish it and 
we can discuss if it might be interesting to merge it to the trunk.

Le dimanche 23 février 2014 04:41:24 UTC-5, mweissen a écrit :

 I think a new class could do the job. You could modify your db.py
 Replace

 auth = Auth(db, hmac_key=Auth.get_or_create_key())

 by

 class MyAuth(Auth):
 # your code
 pass
 auth = MyAuth(db, hmac_key=Auth.get_or_create_key())

 ​Regards, Martin
 ​

 2014-02-23 0:21 GMT+01:00 Damien bardon...@gmail.com javascript::


 I would like to associate to my users multiple E-mail addresses and phone 
 numbers. I would like these users to be able to authenticate with any 
 (verified) E-mail address or phone number. I am wondering what would be the 
 best approach to achieve this. 

 One idea would be to modify the existing Auth class. I am willing to do 
 it, but I would like to know if this is something that could then 
 potentially be merged in the main branch of web2py (any one else interested 
 in this feature?). If not, this approach might not work as I don't want to 
 maintain an alternate version of Auth that would diverge from the one 
 integrated in web2py.

 Thank you for your suggestions.

 Damien

  -- 
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 --- 
 You received this message because you are subscribed to the Google Groups 
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to web2py+un...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/groups/opt_out.



 

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Auth with multiple E-mail addresses

[Martin Weissenboeck]

I think a new class could do the job. You could modify your db.py
Replace

auth = Auth(db, hmac_key=Auth.get_or_create_key())

by

class MyAuth(Auth):
# your code
pass
auth = MyAuth(db, hmac_key=Auth.get_or_create_key())

​Regards, Martin
​

2014-02-23 0:21 GMT+01:00 Damien bardon.dam...@gmail.com:


 I would like to associate to my users multiple E-mail addresses and phone
 numbers. I would like these users to be able to authenticate with any
 (verified) E-mail address or phone number. I am wondering what would be the
 best approach to achieve this.

 One idea would be to modify the existing Auth class. I am willing to do
 it, but I would like to know if this is something that could then
 potentially be merged in the main branch of web2py (any one else interested
 in this feature?). If not, this approach might not work as I don't want to
 maintain an alternate version of Auth that would diverge from the one
 integrated in web2py.

 Thank you for your suggestions.

 Damien

  --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.


-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Auth with multiple E-mail addresses

[Damien]

I would like to associate to my users multiple E-mail addresses and phone 
numbers. I would like these users to be able to authenticate with any 
(verified) E-mail address or phone number. I am wondering what would be the 
best approach to achieve this. 

One idea would be to modify the existing Auth class. I am willing to do it, 
but I would like to know if this is something that could then potentially 
be merged in the main branch of web2py (any one else interested in this 
feature?). If not, this approach might not work as I don't want to maintain 
an alternate version of Auth that would diverge from the one integrated in 
web2py.

Thank you for your suggestions.

Damien

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] auth signature and enable record versioning

[黄祥]

hi,

i wonder what is the correlation between auth signature and enable record 
versioning.
e.g.
# on_define_bank
def on_define_bank(table): 
# notnull
table.bank.notnull = True

# create table : bank
db.define_table('bank', 
Field('bank'), 
auth.signature,
on_define = on_define_bank, 
format = '%(bank)s')

# enable_record_versioning
db.bank._enable_record_versioning()

# 1st question
this one work fine but if i make it lazy for enable_record_versioning, the 
archieve table is created but can't be accessed (it return an error), so i 
must comment or disable auth.signature to make it work. i wonder it why?
e.g.
# on_define_bank
def on_define_bank(table): 
# enable_record_versioning
table._enable_record_versioning()
# notnull
table.bank.notnull = True

# create table : bank
db.define_table('bank', 
Field('bank'), 
on_define = on_define_bank, 
format = '%(bank)s')

# 2nd question
let say i didn't use enable_record_versioning for each table and use 
auth.enable_record_versioning(db) at the end of define table. if i define 
auth.signature for each table, it will create the table archieve 
(enable_record_versioning is work), but when i comment or disable 
auth.signature on each tables, only auth tables is get the table archieve 
(enable_record_versioning work only in auth tables). i wonder it why?

any explaination about this?

thanks and best regards,
stifan

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Auth() vs auth()

[Carlos Zenteno]

Newbee here...

I know that Auth() is the class in gluon
and it initial use:  auth = Auth(db)

But I have seen some uses like fom = auth()
in some controllers.

is there an auth() function besides the Auth() class?
where can I find this kind of stuff on my own?  THanks...

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Auth User Table Modifications

[archeaneon]

I was wondering how I would go about removing First Name and Last Name from 
the user table and making email not required. Is this possible without 
breaking Auth?

Again, thank you very much for your support!

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Auth User Table Modifications

[Richard Vézina]

Hmmm... I think they are required.

Why would you do that?

I am pretty sure these fields are required by Auth, I rather create my own
user table than altering like that...

Richard


On Tue, Oct 29, 2013 at 10:10 AM, archean...@gmail.com wrote:

 I was wondering how I would go about removing First Name and Last Name
 from the user table and making email not required. Is this possible without
 breaking Auth?

 Again, thank you very much for your support!

 --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.


-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Auth modal redirects to profile instead of index

[raferbop]

def index():
   return dict(logform=auth.login(),regform=auth.register())

I put these two forms from the Auth module on the index page, inside a 
modal but when I login/register I am redirected to a profile page instead 
of the index page. What can I do to prevent the redirect or go the index 
page?

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Auth modal redirects to profile instead of index

[Richard Vézina]

You can use this in model :
auth.settings.login_next = URL(c='default', f='index')

Richard


On Tue, Sep 24, 2013 at 2:09 PM, raferbop rafer...@gmail.com wrote:

 def index():
return dict(logform=auth.login(),regform=auth.register())

 I put these two forms from the Auth module on the index page, inside a
 modal but when I login/register I am redirected to a profile page instead
 of the index page. What can I do to prevent the redirect or go the index
 page?

 --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.


-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Auth modal redirects to profile instead of index

[raferbop]

Thanks Richard,

I just tried it but it seems to have been ignored and Im still being 
redirected to /default/user/profile

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Auth modal redirects to profile instead of index

[Massimo Di Pierro]

Or without c and f:

auth.settings.login_next = URL('default', 'index')

On Tuesday, 24 September 2013 13:29:27 UTC-5, Richard wrote:

 You can use this in model :
 auth.settings.login_next = URL(c='default', f='index')

 Richard


 On Tue, Sep 24, 2013 at 2:09 PM, raferbop rafe...@gmail.com javascript:
  wrote:

 def index():
return dict(logform=auth.login(),regform=auth.register())

 I put these two forms from the Auth module on the index page, inside a 
 modal but when I login/register I am redirected to a profile page instead 
 of the index page. What can I do to prevent the redirect or go the index 
 page?
  
 -- 
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 --- 
 You received this message because you are subscribed to the Google Groups 
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to web2py+un...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Auth modal redirects to profile instead of index

[Richard Vézina]

I think we will need more code to understand. What you are doing is not
standard. Notice also, Bootstrap Modal had bug in the pass and was
submitting all the form present on the same page... I wrote a post about
that. I don't think this issue is gone and I think I had found a work
around but don't remember...

Search the group about Modal issue form submit as keyword.

Hope it helps

Richard


On Tue, Sep 24, 2013 at 3:42 PM, Massimo Di Pierro 
massimo.dipie...@gmail.com wrote:

 Or without c and f:

 auth.settings.login_next = URL('default', 'index')


 On Tuesday, 24 September 2013 13:29:27 UTC-5, Richard wrote:

 You can use this in model :
 auth.settings.login_next = URL(c='default', f='index')

 Richard


 On Tue, Sep 24, 2013 at 2:09 PM, raferbop rafe...@gmail.com wrote:

 def index():
return dict(logform=auth.login(),**regform=auth.register())

 I put these two forms from the Auth module on the index page, inside a
 modal but when I login/register I am redirected to a profile page instead
 of the index page. What can I do to prevent the redirect or go the index
 page?

 --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/**web2py 
 http://github.com/web2py/web2py(Source code)
 - 
 https://code.google.com/p/**web2py/issues/listhttps://code.google.com/p/web2py/issues/list(Report
  Issues)
 ---
 You received this message because you are subscribed to the Google
 Groups web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send
 an email to web2py+un...@**googlegroups.com.

 For more options, visit 
 https://groups.google.com/**groups/opt_outhttps://groups.google.com/groups/opt_out
 .


  --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.


-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Auth-less authentication

[Scott Hunter]

For historical reasons, I have an appliance which does not use Auth, but 
its own table of users.  Passwords get stored in a similar way (that is, 
using a normal SQLFORM and a password field).  How, then, can I verify a 
user's password, since I am not using auth  thus do not have (direct) 
access to its methods for taking care of this?

(I realize the best answer would be to use Auth, and it may come t that, 
but I was hoping that there was an alternate solution.)

- Scott

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] auth, redirect after login

[royski]

hello together,

my problem is , i want a simply redirect after a user is logged in.

i am using the auth setup from web2py:



my db.py:

auth = Auth(db)
auth.define_tables(username=True)
auth.settings.login_next = URL('welcome')   this has no effect, after  a 
user login the index page is still shown


the controller:

def index():this is my index page, the first page show to the user, where 
the user can login or register

user_auth = auth.login()
user_auth.add_button('register me', URL('register_user'))
   

return dict(user_auth = user_auth)
   
def invalid_user():
return dict()
   
def welcome():after login was succsesfull the user should be directed to 
welcome
search = FORM('Search for:', INPUT(_name='name'), INPUT(_type='submit', 
_value = 'go'))

return dict(search = search)


def register_user():
register = auth.register()

if register.process().accepted:
redirect(URL('welcome'))
 

return dict(register = register)


the view: this is the first site that the user is shown
h1Login:/h1
br
{{=user_auth}} it simply show the form from index() its auth.login()


the flow is that the user first see the index page with the login,
now user is able to login or create a account,
if the user log in , with an allready created account she schould be 
redircted to the welcome page.



kind regards

Bartek






-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] auth(), check if name and password from login is in the database

[royski]

hello,
i am beginner in web2py, and my problem is the login


this is the controller:

def index():

user_auth = auth.login()
user_auth.add_button('register me', URL('register_user'))

#if auth.login():on this point i want authentication if the username 
and password are allready in the db
#session.user_name = user_auth.vars.username
#redirect(URL('welcome'))
#else:
#redirect(URL('invalid_user'))

return dict(user_auth = user_auth)

i simply want to check if the username and the password , which was entered 
by the user in the login form

is in the auth.user database.

I use the default table but name instead of e- mail.



kind regards

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Auth registration adding a registration key with requires_approval disabled

[Isaac Dontje Lindell]

I have this in my db.py model:

## configure auth policy
auth.settings.registration_requires_verification = False
auth.settings.registration_requires_approval = False
auth.settings.reset_password_requires_verification = True

If I register for the application (at %app%/default/user/register), it goes 
through (I get a Success flash and an entry is added to the auth_user 
table.)  However, every time I register, a registration_key is added to the 
auth_user entry. The user is prevented from logging in until I remove the 
registration key from the auth_user row manually.

It's my understanding that the first 2 lines above should stop a 
registration_key from being added or created - the user should be able to 
log in immediately.

What am I missing?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] guidelines to implement oauth with basic web2py auth (noob question)

[ctrlSoft]

i want in my application to implement 2 kind of auth(basic and oauth in my 
case facebook)
1)should i keep it separate? or to generate an entry in basic for every 
external first login
2)posibility to merge them latter
3)should i create a custom Auth() for external login?

i'm a little confused with this methods. wich is the best, simpler, easyer 
to implent.
i tried few examples found on here on groups but without succes. i need 
smth like web2pyslices.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] auth ajax - how about this way?

[yashar]

is this true that SQLFORMs redirected to _next value when SQLFORM is 
accepted? so i did this:

def lost_password():
from gluon.serializers import json
try:
form = auth.retrieve_password()
except: ### i assume that form redirected only if email send to user 
return json(dict(form=DIV('Please check your email, an email sent 
to you ',INPUT(_type='button',_value='Close',_class='btn btn-primary', 
_onclick=$('#Modallogin').modal('hide');
return json(dict(form=form))

i checked that and it works, any idea?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Auth with Janrain but still require registration

[DeanK]

So I want to be able to use Janrain, but I also want to have people have to 
register.  For my app initially i need to control when registration is open 
and when it is not, and currently using the examples i've seen, enabling 
Janrain makes anyone who can authenticate with one of the third party 
provides able to access the app and add an entry to auth_users.

This is what did in db.py

from gluon.contrib.login_methods.rpx_account import use_janrain
auth.settings.actions_disabled=['change_password','request_reset_password']
use_janrain(auth, filename='private/janrain.key')

Once this is done auth works as descrived above, but the register button 
disappears and /default/user/register/ throws a 404.

Is there any way to still point to a registration page and make auth only 
allow users who already exist when logging in via Janrain?  Ideally 
/register would work and essentially after getting a token from Janrain it 
would redirect to profile to add additional user info.


Thanks,
Dean

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Re: web2py auth question

[Leonel Câmara]

You can use LOAD to put the login form on the homepage. It's also possible 
to do it in a completely ajaxified way, I did it using login_bare.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] web2py auth question

[jburosh]

I have a web2py application and was curious how to go to the public 
website, enter username/password in a form (or iframe) and if 
authentication is successful, it would load the application into the 
browswer window.  Right now you click a login button and it redirects to 
web2py's login form.  Is there a way to securely pass auth credentials and 
log into the application and bypass the extra step?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Re: Integrating iPhone device tokens into web2py auth

[howesc]

Yes, that sounds similar to what i do.

 - i created a custom auth user table, it happens to be called end_user 
(though it can be called auth_user):
auth.settings.table_user_name = 'end_user'
auth.settings.table_user = db.end_user.table
auth.define_tables()
 - My end_user table has some fun fields, the one you are interested in is:
Field('apns_tokens', 'list:string')
 - Oauth happens with the client
 - client then does a POST to our api (/api/v7/user) with the APNS token as 
the payload
 - if i don't already have the APNS token i add it to the list and register 
it with my APNS service (you may use a 3rd party service such as 
UrbanAirship or Parse, or build your own)
 - note that i keep a list of tokens because my users have multiple devices 
and so multiple tokens.
 - we are starting our android port nowso i don't have an opinion about 
that yet.

does that help?

cfh 


On Wednesday, February 13, 2013 9:52:10 PM UTC-8, chris_g wrote:

 Thanks for all the interesting responses.

 Here is Apple's description of the Push notificaiton process:
 
 http://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.html

 There appears to be a similar framework for Android:
 http://developer.android.com/google/gcm/index.html

 To clarify, this process uses a Device Token which is generated per 
 app/iPhone . The UDID is not shared with the notification provider (ie the 
 web2py app).
 This process is not designed as an alternative to authentication. I am 
 looking at OAuth in addition to Push notifications. Push notifications It 
 is merely to notify the user of status changes with the application.

 Fortunately my potential requirement will only involve authenticated users 
 receiving notifications. I would be guessing that the Device token would be 
 attached to the session data and/or to the auth_event table.
 Presumably, users can be simultaneously logged in on iOS and Android 
 devices and would expect to receive the correct notifications for their 
 respective devices.

 At this point I have done very little research into this, but I wanted to 
 start discussing these schemes with other developers who are encounter 
 similar needs.





-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Re: Integrating iPhone device tokens into web2py auth

[chris_g]

Thanks for all the interesting responses.

Here is Apple's description of the Push notificaiton process:

http://developer.apple.com/library/mac/#documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/ApplePushService/ApplePushService.html

There appears to be a similar framework for Android:
http://developer.android.com/google/gcm/index.html

To clarify, this process uses a Device Token which is generated per 
app/iPhone . The UDID is not shared with the notification provider (ie the 
web2py app).
This process is not designed as an alternative to authentication. I am 
looking at OAuth in addition to Push notifications. Push notifications It 
is merely to notify the user of status changes with the application.

Fortunately my potential requirement will only involve authenticated users 
receiving notifications. I would be guessing that the Device token would be 
attached to the session data and/or to the auth_event table.
Presumably, users can be simultaneously logged in on iOS and Android 
devices and would expect to receive the correct notifications for their 
respective devices.

At this point I have done very little research into this, but I wanted to 
start discussing these schemes with other developers who are encounter 
similar needs.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Re: Integrating iPhone device tokens into web2py auth

[howesc]

for our system we have anonymous users (users with no email address), and 
known users (users with an email address.

Apple does not expose the MAC address, the IMEI or the apple UDID of iOS 
devices to developers.  their policies strictly forbid the use of hardware 
identifiers in apps distributed via the app store.

Apple also strongly suggests that you verify all in-app-purchases from your 
server to prevent theft (and it's worth it, i see lots of attempted theft)

so, given that our business wants users to be able to use 95% of the apps 
features without creating an account (sharing your email/password and 
some other info we ask for), and we use apple's receipt verification to 
check for fraudulent purchases, both the client and the server have to know 
about a particular application install.  that gets us to where i am at 
today:
 - app launches and gets an OAuth token from the server (creates an 
end_user record on the server) (this OAuth token essentially becomes an 
application installation identifier)
 - app stores data about the user
 - server stores data about the user
 - later user may login which may be logging in to an existing account 
they made on another device (cause lots of apple device users have multiple 
devices) or a new user.  in the login case we merge the activity of the 
user from before login.

now if the business would allow us to require login before the user started 
the app, problem is solved.but we would lose 50-70% of our new users 
daily.

On Monday, February 11, 2013 9:01:40 PM UTC-8, Alec Taylor wrote:

 On Tue, Feb 12, 2013 at 4:29 AM, howesc how...@umich.edu javascript: 
 wrote: 
  Thanks Alec, that will be a nice contribution. 
  
  re my special odd pain in the rear-end login flow.well we (the 
  engineers) failed to sell that to the business.  users can make 
 purchases 
  via apple without a proper logged in account, and we need to track those 
 on 
  the server.  hence the anonymous user.  it would be really nice if apple 
  shared with us the itunes user ID on app launch, but they don't because 
 they 
  believe that violates the user's privacy (and i kinda agree on that 
 point). 
  So i'm stuck with an overly complex login flow. :( 
  
  cfh 

 How do you differentiate between different anonymous users? 

 Are you looking at MAC address or other related IDs? 

 It sounds to me that that's still an open problem. And that not 
 generating any ID but storing data in LocalStorage (or a cookie; or 
 whatever else: locally) would be the most secure way of confirming 
 accountability. 

 Given an e-commerce scenario; on checkout the anonymous user would 
 submit their entire LocalStorage; which obviously includes cart. Their 
 shipping details and whatnot would include an email address, so create 
 them that profile; log them in; and email them their randomly 
 generated password. 

 #problem=solved 


-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Re: Integrating iPhone device tokens into web2py auth

[Alec Taylor]

Hmm; good point.

On Wed, Feb 13, 2013 at 4:30 AM, howesc how...@umich.edu wrote:
 for our system we have anonymous users (users with no email address), and
 known users (users with an email address.

 Apple does not expose the MAC address, the IMEI or the apple UDID of iOS
 devices to developers.  their policies strictly forbid the use of hardware
 identifiers in apps distributed via the app store.

 Apple also strongly suggests that you verify all in-app-purchases from your
 server to prevent theft (and it's worth it, i see lots of attempted theft)

 so, given that our business wants users to be able to use 95% of the apps
 features without creating an account (sharing your email/password and some
 other info we ask for), and we use apple's receipt verification to check for
 fraudulent purchases, both the client and the server have to know about a
 particular application install.  that gets us to where i am at today:
  - app launches and gets an OAuth token from the server (creates an end_user
 record on the server) (this OAuth token essentially becomes an application
 installation identifier)
  - app stores data about the user
  - server stores data about the user
  - later user may login which may be logging in to an existing account
 they made on another device (cause lots of apple device users have multiple
 devices) or a new user.  in the login case we merge the activity of the user
 from before login.

 now if the business would allow us to require login before the user started
 the app, problem is solved.but we would lose 50-70% of our new users
 daily.

 On Monday, February 11, 2013 9:01:40 PM UTC-8, Alec Taylor wrote:

 On Tue, Feb 12, 2013 at 4:29 AM, howesc how...@umich.edu wrote:
  Thanks Alec, that will be a nice contribution.
 
  re my special odd pain in the rear-end login flow.well we (the
  engineers) failed to sell that to the business.  users can make
  purchases
  via apple without a proper logged in account, and we need to track those
  on
  the server.  hence the anonymous user.  it would be really nice if apple
  shared with us the itunes user ID on app launch, but they don't because
  they
  believe that violates the user's privacy (and i kinda agree on that
  point).
  So i'm stuck with an overly complex login flow. :(
 
  cfh

 How do you differentiate between different anonymous users?

 Are you looking at MAC address or other related IDs?

 It sounds to me that that's still an open problem. And that not
 generating any ID but storing data in LocalStorage (or a cookie; or
 whatever else: locally) would be the most secure way of confirming
 accountability.

 Given an e-commerce scenario; on checkout the anonymous user would
 submit their entire LocalStorage; which obviously includes cart. Their
 shipping details and whatnot would include an email address, so create
 them that profile; log them in; and email them their randomly
 generated password.

 #problem=solved

 --

 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Re: Integrating iPhone device tokens into web2py auth

[howesc]

Thanks Alec, that will be a nice contribution.

re my special odd pain in the rear-end login flow.well we (the 
engineers) failed to sell that to the business.  users can make purchases 
via apple without a proper logged in account, and we need to track those on 
the server.  hence the anonymous user.  it would be really nice if apple 
shared with us the itunes user ID on app launch, but they don't because 
they believe that violates the user's privacy (and i kinda agree on that 
point).  So i'm stuck with an overly complex login flow. :(

cfh

On Sunday, February 10, 2013 9:55:35 PM UTC-8, Alec Taylor wrote:

 Not to worry, I'm releasing a generalised open-source OAuth2 Library for 
 web2py. 

 As for your current mechanism of anonymous tokens… how about just 
 storing a cookie (or some other client-side storage) and when the user 
 logs-in or registers all their customisations (e.g.: if e-commerce, 
 their cart) will be sent securely to the server on receipt of 
 successful authentication. 

 That would be a much cleaner, more secure, streamlined and 
 self-contained model than your current one. 

 On Sun, Feb 10, 2013 at 9:33 AM, howesc how...@umich.edu javascript: 
 wrote: 
   - Apple explicitly does not allow using the hardware identifier in your 
  app, and will reject app submission that do that.  because of this each 
 app 
  install logs in first as an anonymous user. 
   - website users use standard web2py auth 
   - app connections to the server use our modified OAuth API 
 implementation. 
  this forgoes web2py auth, but reads and writes to the same user table 
 that 
  web2py auth uses.  this allows the 2 different systems to connect. 
   - the mobile apps are native code on their respective platforms, the 
  website is html. 
  
  unfortunately our modified OAuth implementation is pretty specific to 
 our 
  needs and so i don't think it's a candidate for us to open source.  i'll 
  take a look into what we are doing though to see if any of it can/should 
 be 
  open sourced. 
  
  cfh 
  
  
  On Saturday, February 9, 2013 11:40:50 AM UTC-8, Kenny wrote: 
  
  Howesc, 
  Thanks for great info. So, does mobile app user have to register web2py 
  via access token provided by their hardware in mobile application? May 
 you 
  explain how you built the login/registration module for mobile app 
 users 
  along with web2py? 
  Do you code in html5 with native code for developing your mobile app? 
  
  Sorry for asking more than one question, this topic sounds so 
 interesting! 
  :) 
  
  Thank you! 
  
  On Feb 9, 2013 11:45 AM, howesc how...@umich.edu wrote: 
  
  well what we are using is a hybrid model: 
   - the ios device uses a modified form of OAuth to get access tokens 
 (and 
  we have the confusing problem of users start anonymous but with an 
 access 
  token, and then may later create an account associating an email and 
 other 
  user data with the account) 
   - the website uses web2py's auth to login those same users 
   - the APNS token (Apple Push Notification Service) is provided 
  optionally by the user if they opt-in to push notifications.  as such 
 it's 
  not a primary key for the user and can't be used for authentication.   
 if 
  the user chooses to share it with us we store that in a field on our 
 user 
  table.  Note that the APNS token is device specific, so if the user 
 has 
  multiple devices then they might have multiple tokens. 
  
  does that clarify at all? 
  
  cfh 
  
  On Friday, February 8, 2013 9:46:42 PM UTC-8, Massimo Di Pierro wrote: 
  
  I do not know how this works. Can you give us more details? 
  
  On Friday, 8 February 2013 20:31:14 UTC-6, howesc wrote: 
  
  i have millions of APNS tokens! i'd share, but they are tied to an 
  app 
  
  i did not tie APNS tokesn to web2py auth, but i added fields to my 
 end 
  user table, and the device uses my REST JSON API to POST the APNS 
 tokens to 
  the server and update the user.  we don't use the APNS token as any 
 sort of 
  user identifier. 
  
  does that help?  lemme know if you are interested in more details. 
  
  christian 
  
  On Thursday, February 7, 2013 5:22:28 PM UTC-8, chris_g wrote: 
  
  I'm looking into supporting Apple push notifications in an iPhone 
 app 
  that connects to a web2py server. 
  In order to know which devices to push details to, web2py's auth 
  module would presumably need to maintain Device Tokens. 
  I'm curious if anyone has implemented a solution that takes care of 
  this. I'd like to see how it was integrated with web2py's auth. 
  
  Thanks, 
  Chris 
  
  -- 
  
  --- 
  You received this message because you are subscribed to the Google 
 Groups 
  web2py-users group. 
  To unsubscribe from this group and stop receiving emails from it, send 
 an 
  email to web2py+un...@googlegroups.com. 
  
  For more options, visit https://groups.google.com/groups/opt_out. 
  
  
  
  -- 
  
  --- 
  You received this message because you are subscribed

Re: [web2py] Re: Integrating iPhone device tokens into web2py auth

[Kenny Chung]

Thank you, guys. :) I think I should try to implement one, when I am free.

Do you know any opensource for  iphone oauth login as well as android?

I am actually passing login credentials to web2py from android app via
given web2py lib.
On Feb 11, 2013 11:29 AM, howesc how...@umich.edu wrote:

 Thanks Alec, that will be a nice contribution.

 re my special odd pain in the rear-end login flow.well we (the
 engineers) failed to sell that to the business.  users can make purchases
 via apple without a proper logged in account, and we need to track those on
 the server.  hence the anonymous user.  it would be really nice if apple
 shared with us the itunes user ID on app launch, but they don't because
 they believe that violates the user's privacy (and i kinda agree on that
 point).  So i'm stuck with an overly complex login flow. :(

 cfh

 On Sunday, February 10, 2013 9:55:35 PM UTC-8, Alec Taylor wrote:

 Not to worry, I'm releasing a generalised open-source OAuth2 Library for
 web2py.

 As for your current mechanism of anonymous tokens… how about just
 storing a cookie (or some other client-side storage) and when the user
 logs-in or registers all their customisations (e.g.: if e-commerce,
 their cart) will be sent securely to the server on receipt of
 successful authentication.

 That would be a much cleaner, more secure, streamlined and
 self-contained model than your current one.

 On Sun, Feb 10, 2013 at 9:33 AM, howesc how...@umich.edu wrote:
   - Apple explicitly does not allow using the hardware identifier in
 your
  app, and will reject app submission that do that.  because of this each
 app
  install logs in first as an anonymous user.
   - website users use standard web2py auth
   - app connections to the server use our modified OAuth API
 implementation.
  this forgoes web2py auth, but reads and writes to the same user table
 that
  web2py auth uses.  this allows the 2 different systems to connect.
   - the mobile apps are native code on their respective platforms, the
  website is html.
 
  unfortunately our modified OAuth implementation is pretty specific to
 our
  needs and so i don't think it's a candidate for us to open source.
  i'll
  take a look into what we are doing though to see if any of it
 can/should be
  open sourced.
 
  cfh
 
 
  On Saturday, February 9, 2013 11:40:50 AM UTC-8, Kenny wrote:
 
  Howesc,
  Thanks for great info. So, does mobile app user have to register
 web2py
  via access token provided by their hardware in mobile application? May
 you
  explain how you built the login/registration module for mobile app
 users
  along with web2py?
  Do you code in html5 with native code for developing your mobile app?
 
  Sorry for asking more than one question, this topic sounds so
 interesting!
  :)
 
  Thank you!
 
  On Feb 9, 2013 11:45 AM, howesc how...@umich.edu wrote:
 
  well what we are using is a hybrid model:
   - the ios device uses a modified form of OAuth to get access tokens
 (and
  we have the confusing problem of users start anonymous but with an
 access
  token, and then may later create an account associating an email
 and other
  user data with the account)
   - the website uses web2py's auth to login those same users
   - the APNS token (Apple Push Notification Service) is provided
  optionally by the user if they opt-in to push notifications.  as such
 it's
  not a primary key for the user and can't be used for authentication.
   if
  the user chooses to share it with us we store that in a field on our
 user
  table.  Note that the APNS token is device specific, so if the user
 has
  multiple devices then they might have multiple tokens.
 
  does that clarify at all?
 
  cfh
 
  On Friday, February 8, 2013 9:46:42 PM UTC-8, Massimo Di Pierro
 wrote:
 
  I do not know how this works. Can you give us more details?
 
  On Friday, 8 February 2013 20:31:14 UTC-6, howesc wrote:
 
  i have millions of APNS tokens! i'd share, but they are tied to an
  app
 
  i did not tie APNS tokesn to web2py auth, but i added fields to my
 end
  user table, and the device uses my REST JSON API to POST the APNS
 tokens to
  the server and update the user.  we don't use the APNS token as any
 sort of
  user identifier.
 
  does that help?  lemme know if you are interested in more details.
 
  christian
 
  On Thursday, February 7, 2013 5:22:28 PM UTC-8, chris_g wrote:
 
  I'm looking into supporting Apple push notifications in an iPhone
 app
  that connects to a web2py server.
  In order to know which devices to push details to, web2py's auth
  module would presumably need to maintain Device Tokens.
  I'm curious if anyone has implemented a solution that takes care
 of
  this. I'd like to see how it was integrated with web2py's auth.
 
  Thanks,
  Chris
 
  --
 
  ---
  You received this message because you are subscribed to the Google
 Groups
  web2py-users group.
  To unsubscribe from this group and stop receiving emails from it,
 send an
  email to web2py+un

Re: [web2py] Re: Integrating iPhone device tokens into web2py auth

[Alec Taylor]

On Tue, Feb 12, 2013 at 4:29 AM, howesc how...@umich.edu wrote:
 Thanks Alec, that will be a nice contribution.

 re my special odd pain in the rear-end login flow.well we (the
 engineers) failed to sell that to the business.  users can make purchases
 via apple without a proper logged in account, and we need to track those on
 the server.  hence the anonymous user.  it would be really nice if apple
 shared with us the itunes user ID on app launch, but they don't because they
 believe that violates the user's privacy (and i kinda agree on that point).
 So i'm stuck with an overly complex login flow. :(

 cfh

How do you differentiate between different anonymous users?

Are you looking at MAC address or other related IDs?

It sounds to me that that's still an open problem. And that not
generating any ID but storing data in LocalStorage (or a cookie; or
whatever else: locally) would be the most secure way of confirming
accountability.

Given an e-commerce scenario; on checkout the anonymous user would
submit their entire LocalStorage; which obviously includes cart. Their
shipping details and whatnot would include an email address, so create
them that profile; log them in; and email them their randomly
generated password.

#problem=solved

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Re: Integrating iPhone device tokens into web2py auth

[Alec Taylor]

Not to worry, I'm releasing a generalised open-source OAuth2 Library for web2py.

As for your current mechanism of anonymous tokens… how about just
storing a cookie (or some other client-side storage) and when the user
logs-in or registers all their customisations (e.g.: if e-commerce,
their cart) will be sent securely to the server on receipt of
successful authentication.

That would be a much cleaner, more secure, streamlined and
self-contained model than your current one.

On Sun, Feb 10, 2013 at 9:33 AM, howesc how...@umich.edu wrote:
  - Apple explicitly does not allow using the hardware identifier in your
 app, and will reject app submission that do that.  because of this each app
 install logs in first as an anonymous user.
  - website users use standard web2py auth
  - app connections to the server use our modified OAuth API implementation.
 this forgoes web2py auth, but reads and writes to the same user table that
 web2py auth uses.  this allows the 2 different systems to connect.
  - the mobile apps are native code on their respective platforms, the
 website is html.

 unfortunately our modified OAuth implementation is pretty specific to our
 needs and so i don't think it's a candidate for us to open source.  i'll
 take a look into what we are doing though to see if any of it can/should be
 open sourced.

 cfh


 On Saturday, February 9, 2013 11:40:50 AM UTC-8, Kenny wrote:

 Howesc,
 Thanks for great info. So, does mobile app user have to register web2py
 via access token provided by their hardware in mobile application? May you
 explain how you built the login/registration module for mobile app users
 along with web2py?
 Do you code in html5 with native code for developing your mobile app?

 Sorry for asking more than one question, this topic sounds so interesting!
 :)

 Thank you!

 On Feb 9, 2013 11:45 AM, howesc how...@umich.edu wrote:

 well what we are using is a hybrid model:
  - the ios device uses a modified form of OAuth to get access tokens (and
 we have the confusing problem of users start anonymous but with an access
 token, and then may later create an account associating an email and other
 user data with the account)
  - the website uses web2py's auth to login those same users
  - the APNS token (Apple Push Notification Service) is provided
 optionally by the user if they opt-in to push notifications.  as such it's
 not a primary key for the user and can't be used for authentication.   if
 the user chooses to share it with us we store that in a field on our user
 table.  Note that the APNS token is device specific, so if the user has
 multiple devices then they might have multiple tokens.

 does that clarify at all?

 cfh

 On Friday, February 8, 2013 9:46:42 PM UTC-8, Massimo Di Pierro wrote:

 I do not know how this works. Can you give us more details?

 On Friday, 8 February 2013 20:31:14 UTC-6, howesc wrote:

 i have millions of APNS tokens! i'd share, but they are tied to an
 app

 i did not tie APNS tokesn to web2py auth, but i added fields to my end
 user table, and the device uses my REST JSON API to POST the APNS tokens 
 to
 the server and update the user.  we don't use the APNS token as any sort 
 of
 user identifier.

 does that help?  lemme know if you are interested in more details.

 christian

 On Thursday, February 7, 2013 5:22:28 PM UTC-8, chris_g wrote:

 I'm looking into supporting Apple push notifications in an iPhone app
 that connects to a web2py server.
 In order to know which devices to push details to, web2py's auth
 module would presumably need to maintain Device Tokens.
 I'm curious if anyone has implemented a solution that takes care of
 this. I'd like to see how it was integrated with web2py's auth.

 Thanks,
 Chris

 --

 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+un...@googlegroups.com.

 For more options, visit https://groups.google.com/groups/opt_out.



 --

 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Re: Integrating iPhone device tokens into web2py auth

[howesc]

well what we are using is a hybrid model:
 - the ios device uses a modified form of OAuth to get access tokens (and 
we have the confusing problem of users start anonymous but with an access 
token, and then may later create an account associating an email and 
other user data with the account)
 - the website uses web2py's auth to login those same users
 - the APNS token (Apple Push Notification Service) is provided optionally 
by the user if they opt-in to push notifications.  as such it's not a 
primary key for the user and can't be used for authentication.   if the 
user chooses to share it with us we store that in a field on our user 
table.  Note that the APNS token is device specific, so if the user has 
multiple devices then they might have multiple tokens.

does that clarify at all?

cfh

On Friday, February 8, 2013 9:46:42 PM UTC-8, Massimo Di Pierro wrote:

 I do not know how this works. Can you give us more details?

 On Friday, 8 February 2013 20:31:14 UTC-6, howesc wrote:

 i have millions of APNS tokens! i'd share, but they are tied to an app

 i did not tie APNS tokesn to web2py auth, but i added fields to my end 
 user table, and the device uses my REST JSON API to POST the APNS tokens to 
 the server and update the user.  we don't use the APNS token as any sort of 
 user identifier.

 does that help?  lemme know if you are interested in more details.

 christian

 On Thursday, February 7, 2013 5:22:28 PM UTC-8, chris_g wrote:

 I'm looking into supporting Apple push notifications in an iPhone app 
 that connects to a web2py server.
 In order to know which devices to push details to, web2py's auth module 
 would presumably need to maintain Device Tokens.
 I'm curious if anyone has implemented a solution that takes care of 
 this. I'd like to see how it was integrated with web2py's auth.

 Thanks,
 Chris



-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Re: Integrating iPhone device tokens into web2py auth

[Kenny Chung]

Howesc,
Thanks for great info. So, does mobile app user have to register web2py via
access token provided by their hardware in mobile application? May you
explain how you built the login/registration module for mobile app users
along with web2py?
Do you code in html5 with native code for developing your mobile app?

Sorry for asking more than one question, this topic sounds so interesting!
:)

Thank you!
On Feb 9, 2013 11:45 AM, howesc how...@umich.edu wrote:

 well what we are using is a hybrid model:
  - the ios device uses a modified form of OAuth to get access tokens (and
 we have the confusing problem of users start anonymous but with an access
 token, and then may later create an account associating an email and
 other user data with the account)
  - the website uses web2py's auth to login those same users
  - the APNS token (Apple Push Notification Service) is provided optionally
 by the user if they opt-in to push notifications.  as such it's not a
 primary key for the user and can't be used for authentication.   if the
 user chooses to share it with us we store that in a field on our user
 table.  Note that the APNS token is device specific, so if the user has
 multiple devices then they might have multiple tokens.

 does that clarify at all?

 cfh

 On Friday, February 8, 2013 9:46:42 PM UTC-8, Massimo Di Pierro wrote:

 I do not know how this works. Can you give us more details?

 On Friday, 8 February 2013 20:31:14 UTC-6, howesc wrote:

 i have millions of APNS tokens! i'd share, but they are tied to an
 app

 i did not tie APNS tokesn to web2py auth, but i added fields to my end
 user table, and the device uses my REST JSON API to POST the APNS tokens to
 the server and update the user.  we don't use the APNS token as any sort of
 user identifier.

 does that help?  lemme know if you are interested in more details.

 christian

 On Thursday, February 7, 2013 5:22:28 PM UTC-8, chris_g wrote:

 I'm looking into supporting Apple push notifications in an iPhone app
 that connects to a web2py server.
 In order to know which devices to push details to, web2py's auth module
 would presumably need to maintain Device Tokens.
 I'm curious if anyone has implemented a solution that takes care of
 this. I'd like to see how it was integrated with web2py's auth.

 Thanks,
 Chris

  --

 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Re: Integrating iPhone device tokens into web2py auth

[howesc]

 - Apple explicitly does not allow using the hardware identifier in your 
app, and will reject app submission that do that.  because of this each app 
install logs in first as an anonymous user.
 - website users use standard web2py auth
 - app connections to the server use our modified OAuth API 
implementation.  this forgoes web2py auth, but reads and writes to the same 
user table that web2py auth uses.  this allows the 2 different systems to 
connect.
 - the mobile apps are native code on their respective platforms, the 
website is html.

unfortunately our modified OAuth implementation is pretty specific to our 
needs and so i don't think it's a candidate for us to open source.  i'll 
take a look into what we are doing though to see if any of it can/should be 
open sourced.

cfh

On Saturday, February 9, 2013 11:40:50 AM UTC-8, Kenny wrote:

 Howesc,
 Thanks for great info. So, does mobile app user have to register web2py 
 via access token provided by their hardware in mobile application? May you 
 explain how you built the login/registration module for mobile app users 
 along with web2py?
 Do you code in html5 with native code for developing your mobile app?  

 Sorry for asking more than one question, this topic sounds so interesting! 
 :)

 Thank you!
 On Feb 9, 2013 11:45 AM, howesc how...@umich.edu javascript: wrote:

 well what we are using is a hybrid model:
  - the ios device uses a modified form of OAuth to get access tokens (and 
 we have the confusing problem of users start anonymous but with an access 
 token, and then may later create an account associating an email and 
 other user data with the account)
  - the website uses web2py's auth to login those same users
  - the APNS token (Apple Push Notification Service) is provided 
 optionally by the user if they opt-in to push notifications.  as such it's 
 not a primary key for the user and can't be used for authentication.   if 
 the user chooses to share it with us we store that in a field on our user 
 table.  Note that the APNS token is device specific, so if the user has 
 multiple devices then they might have multiple tokens.

 does that clarify at all?

 cfh

 On Friday, February 8, 2013 9:46:42 PM UTC-8, Massimo Di Pierro wrote:

 I do not know how this works. Can you give us more details?

 On Friday, 8 February 2013 20:31:14 UTC-6, howesc wrote:

 i have millions of APNS tokens! i'd share, but they are tied to an 
 app

 i did not tie APNS tokesn to web2py auth, but i added fields to my end 
 user table, and the device uses my REST JSON API to POST the APNS tokens 
 to 
 the server and update the user.  we don't use the APNS token as any sort 
 of 
 user identifier.

 does that help?  lemme know if you are interested in more details.

 christian

 On Thursday, February 7, 2013 5:22:28 PM UTC-8, chris_g wrote:

 I'm looking into supporting Apple push notifications in an iPhone app 
 that connects to a web2py server.
 In order to know which devices to push details to, web2py's auth 
 module would presumably need to maintain Device Tokens.
 I'm curious if anyone has implemented a solution that takes care of 
 this. I'd like to see how it was integrated with web2py's auth.

 Thanks,
 Chris

  -- 
  
 --- 
 You received this message because you are subscribed to the Google Groups 
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to web2py+un...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/groups/opt_out.
  
  



-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Re: Integrating iPhone device tokens into web2py auth

[howesc]

i have millions of APNS tokens! i'd share, but they are tied to an app

i did not tie APNS tokesn to web2py auth, but i added fields to my end user 
table, and the device uses my REST JSON API to POST the APNS tokens to the 
server and update the user.  we don't use the APNS token as any sort of 
user identifier.

does that help?  lemme know if you are interested in more details.

christian

On Thursday, February 7, 2013 5:22:28 PM UTC-8, chris_g wrote:

 I'm looking into supporting Apple push notifications in an iPhone app that 
 connects to a web2py server.
 In order to know which devices to push details to, web2py's auth module 
 would presumably need to maintain Device Tokens.
 I'm curious if anyone has implemented a solution that takes care of this. 
 I'd like to see how it was integrated with web2py's auth.

 Thanks,
 Chris


-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Re: Integrating iPhone device tokens into web2py auth

[Massimo Di Pierro]

I do not know how this works. Can you give us more details?

On Friday, 8 February 2013 20:31:14 UTC-6, howesc wrote:

 i have millions of APNS tokens! i'd share, but they are tied to an app

 i did not tie APNS tokesn to web2py auth, but i added fields to my end 
 user table, and the device uses my REST JSON API to POST the APNS tokens to 
 the server and update the user.  we don't use the APNS token as any sort of 
 user identifier.

 does that help?  lemme know if you are interested in more details.

 christian

 On Thursday, February 7, 2013 5:22:28 PM UTC-8, chris_g wrote:

 I'm looking into supporting Apple push notifications in an iPhone app 
 that connects to a web2py server.
 In order to know which devices to push details to, web2py's auth module 
 would presumably need to maintain Device Tokens.
 I'm curious if anyone has implemented a solution that takes care of this. 
 I'd like to see how it was integrated with web2py's auth.

 Thanks,
 Chris



-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [web2py] Integrating iPhone device tokens into web2py auth

[Alec Taylor]

You'd probably be better off using OAuth2…

On Fri, Feb 8, 2013 at 12:22 PM, chris_g chrisgu...@gmail.com wrote:
 I'm looking into supporting Apple push notifications in an iPhone app that
 connects to a web2py server.
 In order to know which devices to push details to, web2py's auth module
 would presumably need to maintain Device Tokens.
 I'm curious if anyone has implemented a solution that takes care of this.
 I'd like to see how it was integrated with web2py's auth.

 Thanks,
 Chris

 --

 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.



-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Integrating iPhone device tokens into web2py auth

[chris_g]

I'm looking into supporting Apple push notifications in an iPhone app that 
connects to a web2py server.
In order to know which devices to push details to, web2py's auth module 
would presumably need to maintain Device Tokens.
I'm curious if anyone has implemented a solution that takes care of this. 
I'd like to see how it was integrated with web2py's auth.

Thanks,
Chris

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Auth with Wordpress

[Kenneth]

Hello,

I have a case where an old site is done with Wordpress as front and 
authentication from an external database. Showing of content is then 
handled with somekind of XML viewer. Site contains 12 manuals. Manual 13 is 
done with web2py and the idea is to though out the very old Wordpress and 
XML viewer and handle everything from web2py. But due to time constraints 
we need to have every as it is now and only show the new manual from 
web2py. 

But how do I handle that WP takes care of authentication and somehow gives 
the customer rights to view the manual. 

Any ideas how to do this?


Kenneth

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Auth login causing closed database

[pinwc4]

Recently I upgraded to 2.32 from an older 1.99 version and have been 
running into an odd auth problem.  I have 2 copies of an application hosted 
on a VM under one instance of web2py using Apache/WSGI.  I can log into one 
of the apps however if I then try to login to the other copy I instead get 
a Ticket with the error ProgrammingError: Cannot operate on a closed 
database.  The database in this case is SQLite.  

It does not matter which copy of the app I log into, it happens either 
direction.  Once I start getting that error on one of the apps the error 
continues until I reset Apache.  However the error only occurs with the 
Auth, other portions of the app that use database access work fine.  The 
applications themselves are identical copies outside of some layout 
differences for looks and I use different DNS names for each.  They do not 
share any auth through CAS etc. the auth_user tables are independent.  I 
thought maybe it was session related since I was logging in from the same 
browser so I tried different session storage, cookies/db/files but that did 
not make a difference.  The problem even happens if I log into one site 
from Firefox and then log into the second site with IE.  The second site 
will then start giving this error.

Does any have any ideas why logging into the second site would cause the 
database connection to close?  I did not have this problem with 1.99 but I 
do not want to downgrade as I am starting to use newer features introduced.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[web2py] Auth login with Firefox

[villas]

Using trunk / Win Vista / 
Login works OK with Chrome and IE,  but fails with Firefox.
I enter User and Password and click Login.  The fields are cleared and the 
login form redisplayed, but no login.
I tried clearing session files and all cookies and other browser data,  but 
cannot get it working.
Has anything changed?  Any suggestions?  
David

-- 

[web2py] Auth Wiki functionality?

[Bill Thayer]

Hello everyone,

Thanks to Allen, Villas, of course Massimo among a few others I have web2py 
auth.wiki with Oracle storing the media blobs and all the pages.  I believe 
I can use the wiki features in a structure way to improv productivity and 
cross department functionality in my workplace.

Now what in the heck to do with it?

The app wizard created a bunch of controllers like
@auth.requires_login()
def part_manage():
form = SQLFORM.smartgrid(db.part)
return locals()



but if I add
@{component:default/part_manage}
to my markmin I get a page with my SQLFORM.smartgrid inside a page so I get 
two footers and two headers. Not to mention the add and edit pages should 
really be a wiki page with my table attributes added.

Looks like auth-wiki is for creating web pages but what caught my attention 
was the media and tagging capability built in so I don't have to write my 
own app to do what's already there. However, I have a bunch of tables 
(parts, sub parts, orders, samples, testing, analyses for tested samples, 
etc...) defined for my application and  basically 75% of the items have 
attachments, images, files, user references and tags too. 

Unless someone says different I guess I should be adding a wiki_page column 
to all of my tables? Then create separate edit/show/create controllers that 
generate the proper...slug...and return a wiki page? That shouldn't break 
my relationships I don't think.

Just kind of wondering if there's already a know technique for my 
application that you know of?

Regards,
Bill

-- 

[web2py] auth module not portable between mac and linux?

[vince]

i tried web2py on linux with source code version and on osx with the mac 
version, both connected to the same mysql backend.

i have notice the user created on linux can only access on linux, login 
from osx will be invalid login. it's the same on osx the other way around.


-- 

[web2py] Auth Decorator / Model Question.

[Kevin C]

The title isn't very descriptive, but I hope this paragraph clears things 
up.

Basically we are creating a basic SaaS app.  Users will log in at 
theirname.oursite.com to an administrative panel.  Each administrative 
panel is tied to a user ID from the auth table.  So basically here is what 
should happen:

User visits theirname.oursite.com/admin
Web2py retrieves users_id field from stores table (This field assigns 
ownership of each store to a user id)
Web2py auth decorator should ensure that the logged in user ID is that of 
the store owner

I understand how to write the decorator, but what is the best way to 
retrieve the users_id from the stores table and store it?  Sessions? 
 Temporary variable that is set on each page load?

Please forgive my ignorance.  I am completely new to web2py and want to 
develop using best practices.  I appreciate any guidance you can offer.

Thank you.

-- 

Re: [web2py] Auth with Google Oauth2 - Google Plus, Gmail and other scopes

[Alec Taylor]

Hi Bruno,

Can we get an update on this?

Thanks

On Tuesday, January 17, 2012 4:44:16 AM UTC+11, rochacbruno wrote:

 yes we can! the difference is only some keys passed to auth and token url, 
 also the redirect page and the api caller.

 I think we can create an api proxy to decide which class to use and have 
 the google/facebook/linkedin etc mappings in a single file.

 I will try and if works I send a patch.

 http://zerp.ly/rochacbruno
 Em 16/01/2012 09:25, Michele Comitini michele@gmail.comjavascript: 
 escreveu:

 Hi Bruno,

 Do you think we can integrate all in one oath20 module?

 tnx

 mic

 2012/1/16 Bruno Rocha rocha...@gmail.com javascript::
  Hi,
 
  I just implemented Google Connect Oauth2 in http://movu.ca/demo
 
  If someone interested in the code it is in
 
  
 https://github.com/rochacbruno/Movuca/blob/master/modules/oauth20_account_google.py
  (modified module)
  
 https://github.com/rochacbruno/Movuca/blob/master/modules/helpers/googleplus.py
  (modified handler, can go in models or modules)
  
 https://github.com/rochacbruno/Movuca/blob/master/modules/handlers/person.py#L378
  (action handler)
  
 https://github.com/rochacbruno/Movuca/blob/master/controllers/person.py#L95
  (controller)
 
  It is based in the facebook version with some changes, but still needs
  improvements.
 
  To use it you have to create API keys in
  https://code.google.com/apis/console/ and the other things will be 
 just like
  the facebook version. I guess the twitter version can be implemented in 
 the
  same way.
 
  ** im my code I am using Movuca config to get the option values, you 
 just
  need to replace them with your API keys.
 
  I also found an issue in Auth
  http://code.google.com/p/web2py/issues/detail?id=616
 
 
  --
 
  Bruno Rocha
  [http://rochacbruno.com.br]
 



-- 

[web2py] Auth and Model less

[Felipe Meirelles]

Hello again,

I'm having some trouble with my model less aproch with auth module. I've 
put him on a separeted file on modules folder, and, when needed, I import 
it as follows:

modules/web2py/auth.py:

auth = Auth(db, hmac_key=Auth.get_or_create_key())

controllers/tracking.py:

from applications.main.modules.web2py.auth import auth

But some times (its not every time) when I try to loggin, the form just 
don't validate and don't pass through the login/password for checking (I'm 
also using the default login form from docs). Maybe this have some relation 
with imports being done only once on appengine? And, if is it, what can I 
do about (since not every page on my app needs auth)

Thanks

-- 

[web2py] auth for entire controller

[Richard Penman]

How can I apply auth control to an entire controller rather than decorators 
for each function?

http://web2py.com/books/default/chapter/29/9#Authorization

-- 

[web2py] Auth has no attribute signature

[David]

I just upgraded my web2py to latest trunk.

I get an exception

S'(\'Auth\' object has no attribute \'signature\',)'

did something change. I tried the mailing list archive to see, but maybe 
I missed something.


Thanks.


--

Re: [web2py] Auth with Google Oauth2 - Google Plus, Gmail and other scopes

[Daniel Gonzalez]

Hi Bruno,

This is greate code, thanks! I would like to do something very similar to 
authenticate users via Facebook, Google and Twitter. I have several 
questions:

   - Has the code been integrated into web2py?
   - Is this intended only for Google+, or can normal Google accounts also 
   use the same code?
   - Would it be easy to integrate twitter too?

I am willing to contribute any improvements I need to do in order 
generalize this code even more, of course.

Thanks,
Daniel

On Monday, January 16, 2012 6:44:16 PM UTC+1, rochacbruno wrote:

 yes we can! the difference is only some keys passed to auth and token url, 
 also the redirect page and the api caller.

 I think we can create an api proxy to decide which class to use and have 
 the google/facebook/linkedin etc mappings in a single file.

 I will try and if works I send a patch.

 http://zerp.ly/rochacbruno
 Em 16/01/2012 09:25, Michele Comitini michele.comit...@gmail.com 
 escreveu:

 Hi Bruno,

 Do you think we can integrate all in one oath20 module?

 tnx

 mic

 2012/1/16 Bruno Rocha rochacbr...@gmail.com:
  Hi,
 
  I just implemented Google Connect Oauth2 in http://movu.ca/demo
 
  If someone interested in the code it is in
 
  
 https://github.com/rochacbruno/Movuca/blob/master/modules/oauth20_account_google.py
  (modified module)
  
 https://github.com/rochacbruno/Movuca/blob/master/modules/helpers/googleplus.py
  (modified handler, can go in models or modules)
  
 https://github.com/rochacbruno/Movuca/blob/master/modules/handlers/person.py#L378
  (action handler)
  
 https://github.com/rochacbruno/Movuca/blob/master/controllers/person.py#L95
  (controller)
 
  It is based in the facebook version with some changes, but still needs
  improvements.
 
  To use it you have to create API keys in
  https://code.google.com/apis/console/ and the other things will be 
 just like
  the facebook version. I guess the twitter version can be implemented in 
 the
  same way.
 
  ** im my code I am using Movuca config to get the option values, you 
 just
  need to replace them with your API keys.
 
  I also found an issue in Auth
  http://code.google.com/p/web2py/issues/detail?id=616
 
 
  --
 
  Bruno Rocha
  [http://rochacbruno.com.br]
 

[web2py] auth email verification design question

[amit]

For the case that the email has not been verified by the 
user, request_reset_password can be overload to include resend email 
verification request. 
Not sure if the above is a good idea?

[web2py] auth exception with Version 2.0.0 (2012-07-04 23:30:47) dev

[szimszon]

Hi!

I'm using ldap auth and after the web2py update I get:

Traceback (most recent call last):
  File /home/PRIMERATE.LAN/gyszabolcs/fejlesztes/web2py/gluon/restricted.py, 
line 205, in restricted
exec ccode in environment
  File 
/home/PRIMERATE.LAN/gyszabolcs/fejlesztes/web2py/applications/webadmin/controllers/default.py,
 line 2072, in module
  File /home/PRIMERATE.LAN/gyszabolcs/fejlesztes/web2py/gluon/globals.py, 
line 182, in lambda
self._caller = lambda f: f()
  File 
/home/PRIMERATE.LAN/gyszabolcs/fejlesztes/web2py/applications/webadmin/controllers/default.py,
 line 2051, in user
return dict( form = auth() )
  File /home/PRIMERATE.LAN/gyszabolcs/fejlesztes/web2py/gluon/tools.py, line 
1197, in __call__
return getattr(self,args[0])()
  File /home/PRIMERATE.LAN/gyszabolcs/fejlesztes/web2py/gluon/tools.py, line 
1832, in login
if temp_user.registration_key == 'pending':
  File /home/PRIMERATE.LAN/gyszabolcs/fejlesztes/web2py/gluon/dal.py, line 
6156, in __getattr__
return self[key]
  File /home/PRIMERATE.LAN/gyszabolcs/fejlesztes/web2py/gluon/dal.py, line 
6147, in __getitem__
return dict.__getitem__(self, key)
KeyError: 'registration_key'



http://code.google.com/p/web2py/issues/detail?id=876

[web2py] Auth form custom errors

[Rhys]

I'm creating a custom drop down login form for all pages where the user 
isn't logged in. Once they try and login through this form if it 
is unsuccessful it redirects to the /user/login page with the auth.login 
form. How do I get a error if the login has resulted in an invalid login. 
As there are two forms I've tried also tried to do a form out of html so 
there is no form key. Still no luck. Is it s simple variable I can use to 
determine if it is successful? 

[web2py] Re: How to use web2py auth using JavaScript+ajax?

[thstart]

I found an old thread:
https://groups.google.com/forum/?fromgroups#!searchin/web2py/auth.login()$20from$20inside$20a$20component/web2py/Qg4AAePIlJw/tOTdGwtAj6EJ
 

The discussion stopped at some point. 

On Friday, March 30, 2012 7:08:10 AM UTC-7, Anthony wrote:

 On Friday, March 30, 2012 2:22:42 AM UTC-4, thstart wrote:

 Thank you, could you please post an example?


 Perhaps someone else has a full working example. You just need a form on 
 the page that gets posted via Ajax (see 
 http://web2py.com/books/default/chapter/29/11#The-ajax-function), and 
 then check the submitted credentials with auth.login_bare (see 
 http://web2py.com/books/default/chapter/29/9#Manual-Authentication).

 Anthony