Exposed formcallable argument for repoze.who.plugins.form.FormPlugin to the callers of the repoze.who.plugins.form.make_plugin factory. Thanks to Roland Hedburg for the report.
Fixed an issue that caused the following symptom when using the ini configuration parser:
TypeError: _makePlugin() got multiple values for keyword argument 'name'
See http://bugs.repoze.org/issue92 for more details. Thanks to vaab for the bug report and initial fix.
Fix test breakage on Windows. See http://bugs.repoze.org/issue79 .
Documented issue with using include_ip setting in the auth_tkt plugin. See http://bugs.repoze.org/issue81 .
Added ‘passthrough_challenge_decider’, which avoids re-challenging 401 responses which have been “pre-challenged” by the application.
One-hundred percent unit test coverage.
Add timeout and reissue_time arguments to the auth_tkt identifier plugin, courtesty of Paul Johnston.
Add a userid_checker argument to the auth_tkt identifier plugin, courtesty of Gustavo Narea.
If userid_checker is provided, it must be a dotted Python name that resolves to a function which accepts a userid and returns a boolean True or False, indicating whether that user exists in a database. This is a workaround. Due to a design bug in repoze.who, the only way who can check for user existence is to use one or more IAuthenticator plugin authenticate methods. If an IAuthenticator’s authenticate method returns true, it means that the user exists. However most IAuthenticator plugins expect both a username and a password, and will return False unconditionally if both aren’t supplied. This means that an authenticator can’t be used to check if the user “only” exists. The identity provided by an auth_tkt does not contain a password to check against. The actual design bug in repoze.who is this: when a user presents credentials from an auth_tkt, he is considered “preauthenticated”. IAuthenticator.authenticate is just never called for a “preauthenticated” identity, which works fine, but it means that the user will be considered authenticated even if you deleted the user’s record from whatever database you happen to be using. However, if you use a userid_checker, you can ensure that a user exists for the auth_tkt supplied userid. If the userid_checker returns False, the auth_tkt credentials are considered “no good”.
Fix bug found by Chris Perkins: the auth_tkt plugin’s “remember” method didn’t handle userids which are Python “long” instances properly. Symptom: TypeError: cannot concatenate ‘str’ and ‘long’ objects in “paste.auth.auth_tkt”.
Added predicate-based “restriction” middleware support (repoze.who.restrict), allowing configuratio-driven authorization as a WSGI filter. One example predicate, ‘authenticated_predicate’, is supplied, which requires that the user be authenticated either via ‘REMOTE_USER’ or via ‘repoze.who.identity’. To use the filter to restrict access:
[filter:authenticated_only]
use = egg:repoze.who#authenticated
or::
[filter:some_predicate]
use = egg:repoze.who#predicate
predicate = my.module:some_predicate
some_option = a value
The plugin at plugins.form.FormPlugin didn’t redirect properly after collecting identification information. Symptom: a downstream app would receive a POST request with a blank body, which would sometimes result in a Bad Request error.
Fixed interface declarations of ‘classifiers.default_request_classifier’ and ‘classifiers.default_password_compare’.
Added actual config-driven middleware factory, ‘config.make_middleware_with_config’
Removed fossilized ‘who_conf’ argument from plugin factory functions.
Added ConfigParser-based WhoConfig, implementing the spec outlined at http://www.plope.com/static/misc/sphinxtest/intro.html#middleware-configuration-via-config-file, with the following changes:
as either egg entry points (e.g., ‘egg:distname#entry_point_name’) or as dotted-path-with-colon (e.g., ‘dotted.name:object_id’).
Therefore, the separator between a plugin and its classifier is now a semicolon, rather than a colon. E.g.:
[plugins:id_plugin]
use = egg:another.package#identify_with_frobnatz
frobnatz = baz
[identifiers]
plugins =
egg:my.egg#identify;browser
dotted.name:identifier
id_plugin
Change the IMetadataProvider interface: this interface used to have a “metadata” method which returned a dictionary. This method is not part of that API anymore. It’s been replaced with an “add_metadata” method which has the signature:
def add_metadata(environ, identity):
"""
Add metadata to the identity (which is a dictionary)
"""
The return value is ignored. IMetadataProvider plugins are now
assumed to be responsible for 'scribbling' directly on the identity
that is passed in (it's a dictionary). The user id can always be
retrieved from the identity via identity['repoze.who.userid'] for
metadata plugins that rely on that value.