Looks like you can do: auth.settings.allow_basic_login = True auth.user = auth.basic()[2] if auth.user: etc.
But this doesn't appear to be documented. Perhaps auth.basic() should automatically populate auth.user rather than simply returning it as part of a tuple. Anthony On Thursday, May 31, 2012 10:12:14 PM UTC-4, G. Clifford Williams wrote: > > Given the following code snippet in a controller (default or any other): > > auth.settings.allow_basic_login = True > def howdy(): > auth.settings.allow_basic_login = True > response.view = 'generic.json' > if auth.user: > this_user = auth.user.id > else: > this_user = "unset" > return dict(user=this_user) > if the controller action is called as such: > % curl --user 't...@somewhere.com:supersecretpassword' > http://127.0.0.1:8000/myapp/controller/howdy > > this response you'll get it this: > {"user": "unset"} > > The same goes for using auth.is_logged_in(): > > The result is different, however, when you use one of the 'requires' > decorators: > > auth.settings.allow_basic_login = True > > def howdy(): > auth.settings.allow_basic_login = True > @auth.requires_login() > def proforma(): > pass #empty function just to invoke auth.requires > proforma() #call empty function > response.view = 'generic.json' > if auth.user: > this_user = auth.user.id > else: > this_user = "unset" > return dict(user=this_user) > this results in: > % curl --user 't...@somewhere.com:supersecretpassword' > http://127.0.0.1:8000/myapp/controller/howdy > {"user": 1} > > After some digging I discovered that in tools.py auth.requires_* ends up > calling login_bare which is why the second one works. I realize that > according to the book ( > http://web2py.com/books/default/chapter/29/9?search=login_bare) > login_bare() can be called to login the user "manually". Unfortunately the > examples for auth.settings.allow_basic_login in the manual/book ( > http://web2py.com/books/default/chapter/29/9#Access-Control-and-Basic-Authentication, > > http://web2py.com/books/default/chapter/29/9#Settings-and-messages , & > http://web2py.com/books/default/chapter/29/10#Access-Control) don't > address the fact that no login is actually executed without the decorators. > With the last example if someone wanted to use that as a guide they might > think that changing: > > @auth.requires_login() > @request.restful() > def api(): > def GET(s): > return 'access granted, you said %s' % s > return locals() > > to: > > > @request.restful() > def api(): > def GET(s): > > if auth.is_logged_in(): > return 'access granted, you said %s' % s > > else: > > return 'access denied' > return locals() > > > Should work, but they would be mistaken (and likely to spend much time > trying to figure out why one worked and the other did not). I don't know > whether it was the intention that using basic auth prevent a call to log > the user in by default. It seems that either the code should be fixed or we > should update the documentation to clarify that login_bare() should be > called explicitly (directly or indirectly) to actually execute the login > process. > >