durusmail: quixote-users: Problem with NotLoggedInError login scheme
Problem with NotLoggedInError login scheme
2005-03-03
Mario Ruggier (2 parts)
2005-03-04
Shalabh Chaturvedi
2005-03-04
Mario Ruggier
Problem with NotLoggedInError login scheme
Mario Ruggier
2005-03-04
On Mar 4, 2005, at 5:11 AM, Shalabh Chaturvedi wrote:
> Mario Ruggier wrote:
>> Hello,
>> in the form-based login scheme, as in  the demo below, there seems to
>> be a conceptual problem -- and that is that for this scheme to work,
>> a session must already exist. I.e., if, as your first access to the
>> site, you try to access a protected page, a session is not created!
>
> IMO, any scheme using _q_access() and throwing/catching exceptions for
> login does not go very far. I view an invalid (or non-existant)
> session not as an exception but as normal operation that needs a
> conditional flow in the web application. That is why I always use
> (something like) the following at the top of methods I want to
> protect:
>
>     if not get_user():
>         return self.skin.loginpage(return_to=...,msg='...')

Yes, to check within each method may be simpler, and I can easily be
convinced to switch. Anyhow, I was sticking with the other scheme to
understand it first, before knocking it (besides, it was the
recommended method up until just a few days ago!).

The problem i described earlier is due to the fact that I raise an
exception, that I catch myself, thus breaking out of the quixote
loop... and, since i then redirect,  none of the finish_*_request()
methods get called... Thus, if a session did not already exist prior to
the request, a new one will not have the opportunity to get saved. It
turns out this is easily fixed, by doing a
get_publisher().finish_successful_request() prior to the redirect, in
the login handler... but i was afraid that i'd have to mess more deeply
into the publisher internals.

Having a call such as finish_successful_request() in the middle of a
page handler seems not right though... a little improvement can be
achieved by not using try_publish() at all, but replacing it with an
override of finish_interrupted_request() (and moving the call to
finish_interripted_request() to it). The custom publisher class
therefore becomes:

class DemoSessionPublisher(SessionPublisher):
     def finish_interrupted_request(self, exc):
         if isinstance(exc, NotLoggedInError):
             get_publisher().finish_successful_request()
             return self.root_directory.login()
         else:
             return SessionPublisher.finish_interrupted_request(self,
exc)

But, i guess all this is more arguments in favour of the RespondNow
pattern, as if i understand correctly quixote will always handle the
finishing of a request appropriately, even in the case of a modified
new session that is immediately followed by a redirect ?

mario
reply