[albatross-users] next bit of confused insight

Dave Cole djc at object-craft.com.au
Fri Sep 26 11:37:06 EST 2003 

> Were I to attack the problem of "make sure I have valid auth at all
> times", I'd do something like this (bearing in mind I use page
> objects, not page modules, and file-based server-side sessions for
> non-Random apps):
> 
>  - Create a base class for all my page objects (I do this anyway so
>    I can put application-wide nav bars etc in)
> 
>  - This base class would have a page_process function like this
> 
> 	def page_process(self, ctx):
> 		if not hasattr(ctx.locals, '_auth'):
> 			ctx.set_page('login')
> 			return
> 		if not valid_auth(ctx.locals._auth):
> 			ctx.set_page('login_expired')
> 			return
> 		self.sub_page_process(ctx)
> 
>  - 2 new pages, for initial login and for handling stale/expired auth
>    credentials.  These would set the ctx.locals._auth member into
>    the session state and then set_page() to the main application
>    page.  These objects would NOT be a subclass of the above base!
> 
>  - All other pages subclass the page base and provide a
>    sub_page_process() to do the actual navigation.
> 
> This should ensure that the auth is checked and valid before any action is 
> taken anywhere in the application.

If you want to use page modules rather than page objects you can
put the behaviour into the application class.

If you look at the run() method of the Albatross Application class (in
app.py) you will see a convenient place to place this sort of
functionality.

    def run(self, req):
        '''Process a single browser request
        '''
        ctx = None
        try:
            ctx = self.create_context()
            ctx.set_request(req)
            self.load_session(ctx)
            self.load_page(ctx)
            if self.validate_request(ctx):
                self.merge_request(ctx)
                self.process_request(ctx)
            self.display_response(ctx)
            self.save_session(ctx)
            ctx.flush_content()
        except Redirect, e:
            self.save_session(ctx)
            return ctx.send_redirect(e.loc)
        except:
            self.handle_exception(ctx, req)
        return req.status()

The thing to notice from the above is that the application will not
merge or process the browser request if it fails validation.  Vanilla
Albatross does not perform any request validation as you can see from
the Application validate_request() method:

    def validate_request(self, ctx):
        return 1

You could subclass the Albatross application class and do something
like this (completely untested):

    def validate_request(self, ctx):
        if not hasattr(ctx.locals, '_auth'):
            ctx.set_page('login')
            return 0
        if not valid_auth(ctx.locals._auth):
            ctx.set_page('login_expired')
            return 0

Oh, this should probably work in all types of session based Albatross
applications.

- Dave

-- 
http://www.object-craft.com.au

More information about the Albatross-users mailing list