Add logic to core View class, to force logout if user becomes inactive

Also, expose "active sticky" field for user views
This commit is contained in:
Lance Edgar 2017-03-27 21:37:45 -05:00
parent bef0a2d0b6
commit 97aa17f64d
4 changed files with 22 additions and 9 deletions

View file

@ -1,4 +1,4 @@
# -*- coding: utf-8 -*-
# -*- coding: utf-8; -*-
################################################################################
#
# Rattail -- Retail Software Framework
@ -34,7 +34,7 @@ from rattail.util import prettify, NOTSET
from zope.interface import implementer
from pyramid.interfaces import IAuthorizationPolicy
from pyramid.security import remember, Everyone, Authenticated
from pyramid.security import remember, forget, Everyone, Authenticated
from tailbone.db import Session
@ -55,6 +55,17 @@ def login_user(request, user, timeout=NOTSET):
return headers
def logout_user(request):
"""
Perform the logout action for the given request. Note that this returns a
``headers`` dict which you should pass to the redirect.
"""
request.session.delete()
request.session.invalidate()
headers = forget(request)
return headers
def session_timeout_for_user(user):
"""
Returns the "max" session timeout for the user, according to roles

View file

@ -1,8 +1,8 @@
# -*- coding: utf-8 -*-
# -*- coding: utf-8; -*-
################################################################################
#
# Rattail -- Retail Software Framework
# Copyright © 2010-2016 Lance Edgar
# Copyright © 2010-2017 Lance Edgar
#
# This file is part of Rattail.
#
@ -30,14 +30,13 @@ from rattail.db.auth import authenticate_user, set_user_password
import formencode as fe
from pyramid.httpexceptions import HTTPForbidden
from pyramid.security import remember, forget
from pyramid_simpleform import Form
from webhelpers.html import tags, literal
from tailbone import forms
from tailbone.db import Session
from tailbone.views import View
from tailbone.auth import login_user
from tailbone.auth import login_user, logout_user
class UserLogin(fe.Schema):
@ -137,9 +136,7 @@ class AuthenticationView(View):
This deletes/invalidates the current session and then redirects to the
login page.
"""
self.request.session.delete()
self.request.session.invalidate()
headers = forget(self.request)
headers = logout_user(self.request)
if self.rattail_config.getbool('tailbone', 'home_after_logout', default=False):
return self.redirect(self.request.route_url('home'), headers=headers)
login = 'mobile.login' if mobile else 'login'

View file

@ -35,6 +35,7 @@ from pyramid.renderers import render_to_response
from pyramid.response import FileResponse
from tailbone.db import Session
from tailbone.auth import logout_user
class View(object):
@ -44,6 +45,9 @@ class View(object):
def __init__(self, request):
self.request = request
if request.user and not request.user.active:
headers = logout_user(request)
raise self.redirect(request.route_url('home'))
config = self.rattail_config
if config:
self.enum = config.get_enum()

View file

@ -187,6 +187,7 @@ class UsersView(PrincipalMasterView):
fs.username,
fs.person,
fs.active,
fs.active_sticky,
fs.password,
fs.confirm_password,
fs.roles,