diff --git a/tailbone/auth.py b/tailbone/auth.py index 3a0aca0e..1fc46d68 100644 --- a/tailbone/auth.py +++ b/tailbone/auth.py @@ -2,7 +2,7 @@ ################################################################################ # # Rattail -- Retail Software Framework -# Copyright © 2010-2016 Lance Edgar +# Copyright © 2010-2017 Lance Edgar # # This file is part of Rattail. # @@ -26,17 +26,63 @@ Authentication & Authorization from __future__ import unicode_literals, absolute_import +import logging + from rattail.db import model from rattail.db.auth import has_permission from rattail.util import prettify from zope.interface import implementer from pyramid.interfaces import IAuthorizationPolicy -from pyramid.security import Everyone, Authenticated +from pyramid.security import remember, Everyone, Authenticated from tailbone.db import Session +log = logging.getLogger(__name__) + + +def login_user(request, user): + """ + Perform the steps necessary to login the given user. Note that this + returns a ``headers`` dict which you should pass to the redirect. + """ + headers = remember(request, user.uuid) + timeout = get_session_timeout_for_user(request.rattail_config, user) or None + log.debug("setting session timeout for '{}' to {}".format(user.username, timeout)) + set_session_timeout(request, timeout) + return headers + + +def get_session_timeout_for_user(config, user): + """ + Must return a value to be used to set the session timeout for the given + user. By default this will return ``None`` if the user has the + "forever session" permission, otherwise will try to read a default + value from config: + + .. code-block:: ini + + [tailbone] + + # set session timeout to 10 minutes: + session.default_timeout = 600 + + # or, set to 0 to disable: + #session.default_timeout = 0 + """ + if not has_permission(Session(), user, 'general.forever_session'): + return config.getint('tailbone', 'session.default_timeout', + default=300) # 5 minutes + + +def set_session_timeout(request, timeout): + """ + Set the server-side session timeout to the given value. + """ + request.session['_timeout'] = timeout or None + + @implementer(IAuthorizationPolicy) class TailboneAuthorizationPolicy(object): diff --git a/tailbone/views/auth.py b/tailbone/views/auth.py index e57f2a00..2ff18efa 100644 --- a/tailbone/views/auth.py +++ b/tailbone/views/auth.py @@ -26,9 +26,7 @@ Auth Views from __future__ import unicode_literals, absolute_import -import logging - -from rattail.db.auth import authenticate_user, set_user_password, has_permission +from rattail.db.auth import authenticate_user, set_user_password import formencode as fe from pyramid.httpexceptions import HTTPForbidden @@ -39,9 +37,7 @@ from webhelpers.html import tags, literal from tailbone import forms from tailbone.db import Session from tailbone.views import View - - -log = logging.getLogger(__name__) +from tailbone.auth import login_user class UserLogin(fe.Schema): @@ -111,13 +107,8 @@ class AuthenticationView(View): user = self.authenticate_user(form.data['username'], form.data['password']) if user: - # okay now they're truly logged in - headers = remember(self.request, user.uuid) - timeout = self.get_session_timeout_for_user(user) or None - log.debug("setting session timeout for '{}' to {}".format(user.username, timeout)) - self.set_session_timeout(timeout) - + headers = login_user(self.request, user) # treat URL from session as referrer, if available referrer = self.request.session.pop('next_url', referrer) return self.redirect(referrer, headers=headers) @@ -134,33 +125,6 @@ class AuthenticationView(View): def authenticate_user(self, username, password): return authenticate_user(Session(), username, password) - def get_session_timeout_for_user(self, user): - """ - Must return a value to be used to set the session timeout for the given - user. By default this will return ``None`` if the user has the - "forever session" permission, otherwise will try to read a default - value from config: - - .. code-block:: ini - - [tailbone] - - # set session timeout to 10 minutes: - session.default_timeout = 600 - - # or, set to 0 to disable: - #session.default_timeout = 0 - """ - if not has_permission(Session(), user, 'general.forever_session'): - return self.rattail_config.getint('tailbone', 'session.default_timeout', - default=300) # 5 minutes - - def set_session_timeout(self, timeout): - """ - Set the server-side session timeout to the given value. - """ - self.request.session['_timeout'] = timeout or None - def mobile_login(self): return self.login(mobile=True)