Let me look into this.
On Aug 2, 4:17 pm, Niphlod <niph...@gmail.com> wrote: > ok, I took a look into tools.py to get some more clear ideas.....it > turns out that is a bit difficult to clean out the magic from Auth() > > I did a little mess up here (tends to be really confusing), and > actually: > > from gluon.contrib.login_methods.basic_auth import basic_auth > > and > > auth.settings.login_methods = [basic_auth()] > > are needed if we're going to authenticate against an "external" server > with basic authentication (i.e. you have a list of users on > apache's .htaccess and you have to allow access to web2py using that > infos and not the one stored in auth tables) > > So, in order to let web2py use basic authentication with the data > stored in its auth tables, all we need is: > > auth.settings.allow_basic_login = True > > more on, now, I don't understand if the following is needed/useful: > > auth.settings.actions_disabled = [ > 'login', > 'logout', > 'register', > 'verify_email', > 'retrieve_username', > 'retrieve_password', > 'reset_password', > 'request_reset_password', > 'change_password', > 'profile', > 'groups', > 'impersonate', > ] > > and finally: > > def unauth(): > head = 'Basic realm="%s"' % (request.application) > raise HTTP(401,['Unauthorized']) > > So, I discovered that raise HTTP(401,'hello') return the cruft in > order to trick IE (is this needed still?), but if you put status as a > list it will return only 'hello' (nice catch) but.... > 1) I'd need to set this function as the default "event" of not being > authorized > (eventually controlling that authorization header is not there and > adding the www-Authenticate header)... > it would be as easy as putting WWW-Authenticate=head as argument to > HTTP), but it turns out that is reaaally difficult to put one in there > (python dict limitation??)....can anyone point me in the right > direction ? > > 2) I saw what auth.settings.allow_basic_login = True does (and > auth.basic()) and it "allows" the basic authentication in addition to > the default auth (also with disabled actions). Maybe the default auth > can be shut down totally? > > Thanks a lot
