#2277: Authz notification (WebFlash) messages are broken when TG2 doesn't
configures Repoze auth software
------------------------------------+---------------------------------------
Reporter: Gustavo | Owner:
Type: defect | Status: new
Priority: high | Milestone: 2.0rc1
Component: TurboGears | Version: 2.0b7
Severity: critical | Resolution:
Keywords: WebFlash, repoze, auth |
------------------------------------+---------------------------------------
Old description:
> If I configure repoze.who and repoze.what manually, when authorization is
> denied I can't see the reason flashed anymore.
>
> Everything else works perfectly, I can even see the reason printed in the
> logs, but !WebFlash's cookie isn't set and thus that message is not
> printed in the page.
>
> To reproduce it:
> 1. Tell TG not to configure Repoze auth middleware by
> removing/commenting the following line in yourapp/config/app_cfg.py:
> {{{
> base_config.auth_backend = 'sqlalchemy'
> }}}
> 1. Add the middleware through the following function (define it in
> yourapp/config/auth.py):
> {{{
> from logging import INFO, getLogger
>
> from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
> from repoze.who.plugins.sa import (SQLAlchemyUserMDPlugin,
> SQLAlchemyAuthenticatorPlugin)
> from repoze.who.plugins.friendlyform import FriendlyFormPlugin
>
> from repoze.what.middleware import setup_auth
> from repoze.what.plugins.sql import SqlGroupsAdapter,
> SqlPermissionsAdapter
>
> from yourapp.model import User, Group, Permission, DBSession
>
> def add_auth(app):
> """Add Repoze auth middleware to ``app``"""
> # --- Configuring repoze.who:
> who_args = {}
> # Adding the identifier plugins:
> cookie = AuthTktCookiePlugin(secret='secret',
> cookie_name='authtkt')
> form = FriendlyFormPlugin(
> login_form_url='/login',
> login_handler_path='/login_handler',
> post_login_url='/post_login',
> logout_handler_path='/logout_handler',
> post_logout_url='/post_logout',
> rememberer_name='cookie')
> who_args['identifiers'] = [
> ('cookie', cookie),
> ('main_identifier', form)]
> # Adding authenticators:
> sql_authn = SQLAlchemyAuthenticatorPlugin(User,
> DBSession)
> who_args['authenticators'] = [
> ('sql_authn', sql_authn)]
> # Our form is also a challenger:
> who_args['challengers'] = [
> ('form', form)]
> # Adding metadata providers:
> sql_user_md = SQLAlchemyUserMDPlugin(User, DBSession)
> who_args['mdproviders'] = [
> ('sql_user', sql_user_md)]
> # Setting the logs up:
> who_args['log_stream'] = getLogger('auth')
> who_args['log_level'] = INFO
>
> # --- Configuring repoze.what:
> # Adding group source adapters:
> groups_in_db = SqlGroupsAdapter(Group, User, DBSession)
> group_adapters = {'sql_groups': groups_in_db}
> # Adding permission source adapters:
> perms_in_db = SqlPermissionsAdapter(Permission, Group,
> DBSession)
> permission_adapters = {'sql_perms': perms_in_db}
>
> app_with_mw = setup_auth(app, group_adapters,
> permission_adapters,
> **who_args)
> return app_with_mw
>
> }}}
> 1. Go to yourapp/config/middleware and add the middleware:
> {{{
> from yourapp.config.app_cfg import base_config
> from yourapp.config.environment import load_environment
> from yourapp.config.auth import add_auth
>
> __all__ = ['make_app']
>
> make_base_app = base_config.setup_tg_wsgi_app(load_environment)
>
> def make_app(global_conf, full_stack=True, **app_conf):
> app = make_base_app(global_conf, full_stack=True, **app_conf)
>
> # Wrap your base TurboGears 2 application with custom middleware here
> app = add_auth(app)
> return app
> }}}
>
> Finally, visit a protected page like
> http://127.0.0.1:8080/manage_permission_only and you'll see that the
> reason why authorization was denied is no longer flashed.
>
> I already tried to find what's wrong, but I couldn't. I have the feeling
> that it's something microscopical.
New description:
If I configure repoze.who and repoze.what manually, when authorization is
denied I can't see the reason flashed anymore.
Everything else works perfectly, I can even see the reason printed in the
logs, but !WebFlash's cookie isn't set and thus that message is not
printed in the page.
To reproduce it:
1. Tell TG not to configure Repoze auth middleware by removing/commenting
the following line in yourapp/config/app_cfg.py:
{{{
base_config.auth_backend = 'sqlalchemy'
}}}
1. Add the middleware through the following function (define it in
yourapp/config/auth.py):
{{{
from logging import INFO, getLogger
from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
from repoze.who.plugins.sa import (SQLAlchemyUserMDPlugin,
SQLAlchemyAuthenticatorPlugin)
from repoze.who.plugins.friendlyform import FriendlyFormPlugin
from repoze.what.middleware import setup_auth
from repoze.what.plugins.sql import SqlGroupsAdapter,
SqlPermissionsAdapter
from yourapp.model import User, Group, Permission, DBSession
def add_auth(app):
"""Add Repoze auth middleware to ``app``"""
# --- Configuring repoze.who:
who_args = {}
# Adding the identifier plugins:
cookie = AuthTktCookiePlugin(secret='secret',
cookie_name='authtkt')
form = FriendlyFormPlugin(
login_form_url='/login',
login_handler_path='/login_handler',
post_login_url='/post_login',
logout_handler_path='/logout_handler',
post_logout_url='/post_logout',
rememberer_name='cookie')
who_args['identifiers'] = [
('cookie', cookie),
('main_identifier', form)]
# Adding authenticators:
sql_authn = SQLAlchemyAuthenticatorPlugin(User,
DBSession)
who_args['authenticators'] = [
('sql_authn', sql_authn)]
# Our form is also a challenger:
who_args['challengers'] = [
('form', form)]
# Adding metadata providers:
sql_user_md = SQLAlchemyUserMDPlugin(User, DBSession)
who_args['mdproviders'] = [
('sql_user', sql_user_md)]
# Setting the logs up:
who_args['log_stream'] = getLogger('auth')
who_args['log_level'] = INFO
# --- Configuring repoze.what:
# Adding group source adapters:
groups_in_db = SqlGroupsAdapter(Group, User, DBSession)
group_adapters = {'sql_groups': groups_in_db}
# Adding permission source adapters:
perms_in_db = SqlPermissionsAdapter(Permission, Group,
DBSession)
permission_adapters = {'sql_perms': perms_in_db}
app_with_mw = setup_auth(app, group_adapters,
permission_adapters,
**who_args)
return app_with_mw
}}}
1. Go to yourapp/config/middleware and add the middleware:
{{{
from yourapp.config.app_cfg import base_config
from yourapp.config.environment import load_environment
from yourapp.config.auth import add_auth
__all__ = ['make_app']
make_base_app = base_config.setup_tg_wsgi_app(load_environment)
def make_app(global_conf, full_stack=True, **app_conf):
app = make_base_app(global_conf, full_stack=True, **app_conf)
# Wrap your base TurboGears 2 application with custom middleware here
app = add_auth(app)
return app
}}}
Finally, visit a protected page like
http://127.0.0.1:8080/manage_permission_only and you'll see that the
reason why authorization was denied is no longer flashed. This only fails
when we're redirected to the login form.
I already tried to find what's wrong, but I couldn't. I have the feeling
that it's something microscopical.
Comment (by Gustavo):
Only is 401 pages
--
Ticket URL: <http://trac.turbogears.org/ticket/2277#comment:1>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---
