If you can confirm that this works, I'll add it to the book.
On Thursday, May 31, 2012 10:48:21 PM UTC-4, Anthony wrote: > > Looks like you can do: > > auth.settings.allow_basic_login = True > auth.user = auth.basic()[2] > if auth.user: > etc. > > But this doesn't appear to be documented. Perhaps auth.basic() should > automatically populate auth.user rather than simply returning it as part of > a tuple. > > Anthony > > On Thursday, May 31, 2012 10:12:14 PM UTC-4, G. Clifford Williams wrote: >> >> Given the following code snippet in a controller (default or any other): >> >> auth.settings.allow_basic_login = True >> def howdy(): >> auth.settings.allow_basic_login = True >> response.view = 'generic.json' >> if auth.user: >> this_user = auth.user.id >> else: >> this_user = "unset" >> return dict(user=this_user) >> if the controller action is called as such: >> % curl --user 't...@somewhere.com:supersecretpassword' >> http://127.0.0.1:8000/myapp/controller/howdy >> >> this response you'll get it this: >> {"user": "unset"} >> >> The same goes for using auth.is_logged_in(): >> >> The result is different, however, when you use one of the 'requires' >> decorators: >> >> auth.settings.allow_basic_login = True >> >> def howdy(): >> auth.settings.allow_basic_login = True >> @auth.requires_login() >> def proforma(): >> pass #empty function just to invoke auth.requires >> proforma() #call empty function >> response.view = 'generic.json' >> if auth.user: >> this_user = auth.user.id >> else: >> this_user = "unset" >> return dict(user=this_user) >> this results in: >> % curl --user 't...@somewhere.com:supersecretpassword' >> http://127.0.0.1:8000/myapp/controller/howdy >> {"user": 1} >> >> After some digging I discovered that in tools.py auth.requires_* ends up >> calling login_bare which is why the second one works. I realize that >> according to the book ( >> http://web2py.com/books/default/chapter/29/9?search=login_bare) >> login_bare() can be called to login the user "manually". Unfortunately the >> examples for auth.settings.allow_basic_login in the manual/book ( >> http://web2py.com/books/default/chapter/29/9#Access-Control-and-Basic-Authentication, >> >> http://web2py.com/books/default/chapter/29/9#Settings-and-messages , & >> http://web2py.com/books/default/chapter/29/10#Access-Control) don't >> address the fact that no login is actually executed without the decorators. >> With the last example if someone wanted to use that as a guide they might >> think that changing: >> >> @auth.requires_login() >> @request.restful() >> def api(): >> def GET(s): >> return 'access granted, you said %s' % s >> return locals() >> >> to: >> >> >> @request.restful() >> def api(): >> def GET(s): >> >> if auth.is_logged_in(): >> return 'access granted, you said %s' % s >> >> else: >> >> return 'access denied' >> return locals() >> >> >> Should work, but they would be mistaken (and likely to spend much time >> trying to figure out why one worked and the other did not). I don't know >> whether it was the intention that using basic auth prevent a call to log >> the user in by default. It seems that either the code should be fixed or we >> should update the documentation to clarify that login_bare() should be >> called explicitly (directly or indirectly) to actually execute the login >> process. >> >>
