Just discovered that context.result in the forbidden view will be an
ACLDenied object. I might be able to work with that. I'll played around
with it and report back.
On Tue Jan 13 2015 at 9:09:12 AM Theron Luhn wrote:
> I already know how to set up the authentication and authorization—That's
>
I already know how to set up the authentication and authorization—That's no
problem. What I don't know how to do is take the correct behavior when
access is denied. AFAIK in the Forbidden view there's no context as to why
access to the resource is forbidden. I don't want to ask a user to verify
Handling redirects in case security checks fail is quite easy. For eample
the following will set up
a redirect:
#
from pyramid.exceptions import Forbidden
from pyramid.httpexceptions import HTTPFound
def forbidden_view(forbiddenResponse,
just as a general guide line i would always try to implement as much as
possible via roles and permissions.
in this case i would suggest a role of perhaps Authenticated, Verified and
Anyonmous and then assign permissions to the views as your business logic seems
fit.
this reduces the problem s
I'm working on authorization+authentication for my webapp. The login has a
"remember" feature so users don't have to log in each visit. As best
practice, any sensitive features (password changing, user management,
billing, etc.) should require a user to verify their password before
continuing