[albatross-users] next bit of confused insight
Matt Goodall
matt at pollenation.net
Fri Sep 26 17:55:51 EST 2003
Dave Cole wrote:
>>Were I to attack the problem of "make sure I have valid auth at all
>>times", I'd do something like this (bearing in mind I use page
>>objects, not page modules, and file-based server-side sessions for
>>non-Random apps):
>>
>> - Create a base class for all my page objects (I do this anyway so
>> I can put application-wide nav bars etc in)
>>
>> - This base class would have a page_process function like this
>>
>> def page_process(self, ctx):
>> if not hasattr(ctx.locals, '_auth'):
>> ctx.set_page('login')
>> return
>> if not valid_auth(ctx.locals._auth):
>> ctx.set_page('login_expired')
>> return
>> self.sub_page_process(ctx)
>>
>> - 2 new pages, for initial login and for handling stale/expired auth
>> credentials. These would set the ctx.locals._auth member into
>> the session state and then set_page() to the main application
>> page. These objects would NOT be a subclass of the above base!
>>
>> - All other pages subclass the page base and provide a
>> sub_page_process() to do the actual navigation.
>>
>>This should ensure that the auth is checked and valid before any action is
>>taken anywhere in the application.
>>
>>
>
>If you want to use page modules rather than page objects you can
>put the behaviour into the application class.
>
Presumably your suggestion below would work for page objects too?
>If you look at the run() method of the Albatross Application class (in
>app.py) you will see a convenient place to place this sort of
>functionality.
>
> def run(self, req):
> '''Process a single browser request
> '''
> ctx = None
> try:
> ctx = self.create_context()
> ctx.set_request(req)
> self.load_session(ctx)
> self.load_page(ctx)
> if self.validate_request(ctx):
> self.merge_request(ctx)
> self.process_request(ctx)
> self.display_response(ctx)
> self.save_session(ctx)
> ctx.flush_content()
> except Redirect, e:
> self.save_session(ctx)
> return ctx.send_redirect(e.loc)
> except:
> self.handle_exception(ctx, req)
> return req.status()
>
>The thing to notice from the above is that the application will not
>merge or process the browser request if it fails validation. Vanilla
>Albatross does not perform any request validation as you can see from
>the Application validate_request() method:
>
> def validate_request(self, ctx):
> return 1
>
Oh, that's much nicer than my suggestion of set_page() or page_enter().
Thanks for pointing it out Dave, I never though to look at what
validate_request() actually does ;-).
>You could subclass the Albatross application class and do something
>like this (completely untested):
>
> def validate_request(self, ctx):
> if not hasattr(ctx.locals, '_auth'):
> ctx.set_page('login')
> return 0
> if not valid_auth(ctx.locals._auth):
> ctx.set_page('login_expired')
> return 0
>
Or ctx.redirect(...) for random apps.
Cheers, Matt
More information about the Albatross-users
mailing list