[albatross-users] next bit of confused insight

Fri Sep 26 17:55:51 EST 2003

Dave Cole wrote:

>>Were I to attack the problem of "make sure I have valid auth at all
>>times", I'd do something like this (bearing in mind I use page
>>objects, not page modules, and file-based server-side sessions for
>>non-Random apps):
>>
>> - Create a base class for all my page objects (I do this anyway so
>>   I can put application-wide nav bars etc in)
>>
>> - This base class would have a page_process function like this
>>
>>	def page_process(self, ctx):
>>		if not hasattr(ctx.locals, '_auth'):
>>			ctx.set_page('login')
>>			return
>>		if not valid_auth(ctx.locals._auth):
>>			ctx.set_page('login_expired')
>>			return
>>		self.sub_page_process(ctx)
>>
>> - 2 new pages, for initial login and for handling stale/expired auth
>>   credentials.  These would set the ctx.locals._auth member into
>>   the session state and then set_page() to the main application
>>   page.  These objects would NOT be a subclass of the above base!
>>
>> - All other pages subclass the page base and provide a
>>   sub_page_process() to do the actual navigation.
>>
>>This should ensure that the auth is checked and valid before any action is 
>>taken anywhere in the application.
>>    
>>
>
>If you want to use page modules rather than page objects you can
>put the behaviour into the application class.
>
Presumably your suggestion below would work for page objects too?

>If you look at the run() method of the Albatross Application class (in
>app.py) you will see a convenient place to place this sort of
>functionality.
>
>    def run(self, req):
>        '''Process a single browser request
>        '''
>        ctx = None
>        try:
>            ctx = self.create_context()
>            ctx.set_request(req)
>            self.load_session(ctx)
>            self.load_page(ctx)
>            if self.validate_request(ctx):
>                self.merge_request(ctx)
>                self.process_request(ctx)
>            self.display_response(ctx)
>            self.save_session(ctx)
>            ctx.flush_content()
>        except Redirect, e:
>            self.save_session(ctx)
>            return ctx.send_redirect(e.loc)
>        except:
>            self.handle_exception(ctx, req)
>        return req.status()
>
>The thing to notice from the above is that the application will not
>merge or process the browser request if it fails validation.  Vanilla
>Albatross does not perform any request validation as you can see from
>the Application validate_request() method:
>
>    def validate_request(self, ctx):
>        return 1
>
Oh, that's much nicer than my suggestion of set_page() or page_enter(). 
Thanks for pointing it out Dave, I never though to look at what 
validate_request() actually does ;-).

>You could subclass the Albatross application class and do something
>like this (completely untested):
>
>    def validate_request(self, ctx):
>        if not hasattr(ctx.locals, '_auth'):
>            ctx.set_page('login')
>            return 0
>        if not valid_auth(ctx.locals._auth):
>            ctx.set_page('login_expired')
>            return 0
>
Or ctx.redirect(...) for random apps.

Cheers, Matt