I'm working on authorization+authentication for my webapp. The login has a "remember" feature so users don't have to log in each visit. As best practice, any sensitive features (password changing, user management, billing, etc.) should require a user to verify their password before continuing. That way a malicious individual couldn't wreak too much havoc if a user clicks "remember me" on a public terminal, for example.
I'm trying to figure out a way to implement this with Pyramid's authentication+authorization mechanisms. A simple custom authentication policy is sufficient to declare a user as "verified" or "unverified", and the ACL authorization policy can limit access to the sensitive features to verified users. However, I can't figure out how to take the appropriate action when access is denied. Depending on the state of the session, I need to do one of three things: - No authenticated session — Redirect user to login form - "Unverified" session and attempting to access sensitive feature — Redirect user to verify password form - Everything else — Show a 403 Forbidden error page. Any ideas on how I could achieve this? -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
