#2089: Write a repoze.who challenge decider
------------------------+---------------------------------------------------
Reporter: Gustavo | Owner: Gustavo
Type: defect | Status: new
Priority: high | Milestone: 2.0b1
Component: TurboGears | Version: trunk
Severity: critical | Keywords: repoze.who, auth, quickstart
------------------------+---------------------------------------------------
Quickstarted TG2 applications use the default repoze.who challenge
decider, which will request a challenger (e.g., display login form) simply
based on whether the downstream WSGI application rejected the request
(e.g., a predicate not met if using repoze.what).
As a result, if a logged in user tries to access an action whose predicate
is not met (e.g., an editor and an action that requires "admin" rights),
she will get the login form instead of a message that notifies her that
she's not allowed to see that page.
So, we need a challenger decider which acts like the default one, except
that if the user has been authenticated it won't request a challenge (but
then we'll also have to handle the failure by flashing the error to the
user).
--
Ticket URL: <http://trac.turbogears.org/ticket/2089>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
