diff options
| author | Tres Seaver <tseaver@palladion.com> | 2024-06-09 16:28:34 -0400 |
|---|---|---|
| committer | Tres Seaver <tseaver@palladion.com> | 2024-06-09 21:09:19 -0400 |
| commit | c9235146e0102d03bb4548711cd0b3b0637d81fa (patch) | |
| tree | 3a4fee834522fea73a3eaa9eda02c9bb7be0aa69 | |
| parent | 72f61853beda8e21b669c3520e43fe3e5b224ba3 (diff) | |
| download | pyramid-c9235146e0102d03bb4548711cd0b3b0637d81fa.tar.gz pyramid-c9235146e0102d03bb4548711cd0b3b0637d81fa.tar.bz2 pyramid-c9235146e0102d03bb4548711cd0b3b0637d81fa.zip | |
docs: remove 'came_from' from login view
- The narrative doesn't discuss this (mis-)feature.
- Without any authorization, there is no meaninful reason to remember
the 'previous' page.
- As a general rule, we want to avoid trusting user-supplied data (i.e.,
from the query string or form params) when constructing redirect URLs.
4 files changed, 6 insertions, 11 deletions
diff --git a/docs/quick_tutorial/authentication.rst b/docs/quick_tutorial/authentication.rst index 3f6df17de..da76f3ec7 100644 --- a/docs/quick_tutorial/authentication.rst +++ b/docs/quick_tutorial/authentication.rst @@ -137,7 +137,7 @@ Subsequent requests return that cookie and identify the user. In our template, we fetched the ``logged_in`` value from the view class. We use this to calculate the logged-in user, if any. In the template we can then choose to show a login link to anonymous visitors or a logout link to logged-in -users. +users, including their login name. Extra credit diff --git a/docs/quick_tutorial/authentication/tutorial/home.pt b/docs/quick_tutorial/authentication/tutorial/home.pt index ed911b673..0e8508558 100644 --- a/docs/quick_tutorial/authentication/tutorial/home.pt +++ b/docs/quick_tutorial/authentication/tutorial/home.pt @@ -8,8 +8,10 @@ <div> <a tal:condition="view.logged_in is None" href="${request.application_url}/login">Log In</a> - <a tal:condition="view.logged_in is not None" - href="${request.application_url}/logout">Logout</a> + <span tal:condition="view.logged_in is not None"> + <a href="${request.application_url}/logout">Logout</a> + as ${view.logged_in} + </span> </div> <h1>Hi ${name}</h1> diff --git a/docs/quick_tutorial/authentication/tutorial/login.pt b/docs/quick_tutorial/authentication/tutorial/login.pt index 9e5bfe2ad..db8080fc8 100644 --- a/docs/quick_tutorial/authentication/tutorial/login.pt +++ b/docs/quick_tutorial/authentication/tutorial/login.pt @@ -8,8 +8,6 @@ <span tal:replace="message"/> <form action="${url}" method="post"> - <input type="hidden" name="came_from" - value="${came_from}"/> <label for="login">Username</label> <input type="text" id="login" name="login" diff --git a/docs/quick_tutorial/authentication/tutorial/views.py b/docs/quick_tutorial/authentication/tutorial/views.py index b2d9354ec..7c57d6371 100644 --- a/docs/quick_tutorial/authentication/tutorial/views.py +++ b/docs/quick_tutorial/authentication/tutorial/views.py @@ -33,10 +33,6 @@ class TutorialViews: def login(self): request = self.request login_url = request.route_url('login') - referrer = request.url - if referrer == login_url: - referrer = '/' # never use login form itself as came_from - came_from = request.params.get('came_from', referrer) message = '' login = '' password = '' @@ -46,7 +42,7 @@ class TutorialViews: hashed_pw = USERS.get(login) if hashed_pw and check_password(password, hashed_pw): headers = remember(request, login) - return HTTPFound(location=came_from, + return HTTPFound(location=request.route_url("home"), headers=headers) message = 'Failed login' @@ -54,7 +50,6 @@ class TutorialViews: name='Login', message=message, url=request.application_url + '/login', - came_from=came_from, login=login, password=password, ) |