I rewrite the login once more... I reverted to the old mechanism of using vars=dict(_next=....) to carry one the location where to redirect after login. The problem is that this _next gets lost when login is outsourced (cas, janrain, others). This is difficult to fix without changing the logic of many login_methods (details below). So we still need to use the session logic to deal with this case. I moved such logic from Auth() to auth.login(). Does this break anybody's code?
The problem you visit http://..../app1/default/xxx it requires login so it redirects to http://..../app1/default/user/login?_next=/app1/default/xxx it requires federate auth so it redirects to (*) http://..../app2/default/user/login?service=http://..../app1/default/user/login which does its thing and redirects back to http://..../app1/default/user/login and _next is lost. At step lost we could pass service=urllib.quote(http://..../app1/default/user/login?_next=/app1/ default/xxx) but I do not know for a fact how single sign on services deal with variables in the service url. Each one is different It may be implementation dependent. Also is there a security risk? What if the _next is a private urls that includes a uuid? Do we want to disclose it to the openid provider? Massimo On Sep 17, 10:06 pm, Massimo Di Pierro <[email protected]> wrote: > There are cases when the original "next" got lost. I did not full > track the cause of the problem. > The code in Auth was a quick hack to handle it. > > On Sep 17, 11:26 am, Jonathan Lundell <[email protected]> wrote: > > > > > > > > > On Sep 17, 2011, at 8:46 AM, Massimo Di Pierro wrote: > > > > The basic use case is this: > > > User clicks on a link that requires_login and gets redirected to the > > > login page. After login the user is redirected to the original > > > requested page. > > > Exceptions: > > > - the login is outsourced to janrain > > > - the login is outsourced to cas or other open-id > > > - the login is not possible and the user must first register > > > - after login is redirected to the intended page but the app logic > > > finds this user has incomplete profile and redirects to profile > > > editing (*) > > > - what if the user is impersonating another user? (?) > > > - the user is visiting a page that does not require login but LOADs a > > > component that does (?) > > > - the user is visiting a page that does not require login but IFRAMEs > > > a component that does > > > - the user has another window open (**) > > > (*) is not currently supported. (?) not sure if it works (**) worked > > > with _next but not not with session._auth_next. > > > The old logic saves a next link in session in Auth(). What's that for?
