diff options
| author | Tres Seaver <tseaver@palladion.com> | 2024-06-09 16:28:34 -0400 |
|---|---|---|
| committer | Tres Seaver <tseaver@palladion.com> | 2024-06-09 21:09:19 -0400 |
| commit | c9235146e0102d03bb4548711cd0b3b0637d81fa (patch) | |
| tree | 3a4fee834522fea73a3eaa9eda02c9bb7be0aa69 /docs/quick_tutorial/authentication.rst | |
| parent | 72f61853beda8e21b669c3520e43fe3e5b224ba3 (diff) | |
| download | pyramid-c9235146e0102d03bb4548711cd0b3b0637d81fa.tar.gz pyramid-c9235146e0102d03bb4548711cd0b3b0637d81fa.tar.bz2 pyramid-c9235146e0102d03bb4548711cd0b3b0637d81fa.zip | |
docs: remove 'came_from' from login view
- The narrative doesn't discuss this (mis-)feature.
- Without any authorization, there is no meaninful reason to remember
the 'previous' page.
- As a general rule, we want to avoid trusting user-supplied data (i.e.,
from the query string or form params) when constructing redirect URLs.
Diffstat (limited to 'docs/quick_tutorial/authentication.rst')
| -rw-r--r-- | docs/quick_tutorial/authentication.rst | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/quick_tutorial/authentication.rst b/docs/quick_tutorial/authentication.rst index 3f6df17de..da76f3ec7 100644 --- a/docs/quick_tutorial/authentication.rst +++ b/docs/quick_tutorial/authentication.rst @@ -137,7 +137,7 @@ Subsequent requests return that cookie and identify the user. In our template, we fetched the ``logged_in`` value from the view class. We use this to calculate the logged-in user, if any. In the template we can then choose to show a login link to anonymous visitors or a logout link to logged-in -users. +users, including their login name. Extra credit |