Merge pull request #3760 from Pylons/tseaver-qt_cleanup

docs: quick tutorial cleanups

4 files changed, 45 insertions, 15 deletions

diff --git a/docs/quick_tutorial/authorization/tutorial/__init__.py b/docs/quick_tutorial/authorization/tutorial/__init__.py
index 255bb35ac..f59d5ab6d 100644
--- a/docs/quick_tutorial/authorization/tutorial/__init__.py
+++ b/docs/quick_tutorial/authorization/tutorial/__init__.py
@@ -1,11 +1,16 @@
 from pyramid.config import Configurator
+from pyramid.session import SignedCookieSessionFactory
 
 from .security import SecurityPolicy
 
 
 def main(global_config, **settings):
-    config = Configurator(settings=settings,
-                          root_factory='.resources.Root')
+    my_session_factory = SignedCookieSessionFactory('itsaseekreet')
+    config = Configurator(
+        settings=settings,
+        root_factory='.resources.Root',
+        session_factory=my_session_factory,
+    )
     config.include('pyramid_chameleon')
 
     config.set_security_policy(
diff --git a/docs/quick_tutorial/authorization/tutorial/home.pt b/docs/quick_tutorial/authorization/tutorial/home.pt
index ed911b673..0e8508558 100644
--- a/docs/quick_tutorial/authorization/tutorial/home.pt
+++ b/docs/quick_tutorial/authorization/tutorial/home.pt
@@ -8,8 +8,10 @@
 <div>
     <a tal:condition="view.logged_in is None"
             href="${request.application_url}/login">Log In</a>
-    <a tal:condition="view.logged_in is not None"
-            href="${request.application_url}/logout">Logout</a>
+    <span tal:condition="view.logged_in is not None">
+     <a href="${request.application_url}/logout">Logout</a>
+        as ${view.logged_in}
+    </span>
 </div>
 
 <h1>Hi ${name}</h1>
diff --git a/docs/quick_tutorial/authorization/tutorial/login.pt b/docs/quick_tutorial/authorization/tutorial/login.pt
index 9e5bfe2ad..db8080fc8 100644
--- a/docs/quick_tutorial/authorization/tutorial/login.pt
+++ b/docs/quick_tutorial/authorization/tutorial/login.pt
@@ -8,8 +8,6 @@
 <span tal:replace="message"/>
 
 <form action="${url}" method="post">
-    <input type="hidden" name="came_from"
-           value="${came_from}"/>
     <label for="login">Username</label>
     <input type="text" id="login"
            name="login"
diff --git a/docs/quick_tutorial/authorization/tutorial/views.py b/docs/quick_tutorial/authorization/tutorial/views.py
index b9c828086..9b3bbe42a 100644
--- a/docs/quick_tutorial/authorization/tutorial/views.py
+++ b/docs/quick_tutorial/authorization/tutorial/views.py
@@ -30,33 +30,58 @@ class TutorialViews:
     def hello(self):
         return {'name': 'Hello View'}
 
+    @forbidden_view_config()
+    def forbidden(self):
+        request = self.request
+        session = request.session
+        if request.matched_route is not None:
+            session['came_from'] = {
+                'route_name': request.matched_route.name,
+                'route_kwargs': request.matchdict,
+            }
+            if request.authenticated_userid is not None:
+                session['message'] = (
+                    f'User {request.authenticated_userid} is not allowed '
+                    f'to see this resource.  Please log in as another user.'
+                )
+        else:
+            if 'came_from' in session:
+                del session['came_from']
+
+        return HTTPFound(request.route_url('login'))
+
     @view_config(route_name='login', renderer='login.pt')
-    @forbidden_view_config(renderer='login.pt')
     def login(self):
         request = self.request
+        session = request.session
         login_url = request.route_url('login')
-        referrer = request.url
-        if referrer == login_url:
-            referrer = '/'  # never use login form itself as came_from
-        came_from = request.params.get('came_from', referrer)
-        message = ''
+        came_from = session.get('came_from')
+        message = session.get('message', '')
         login = ''
         password = ''
+
         if 'form.submitted' in request.params:
             login = request.params['login']
             password = request.params['password']
             hashed_pw = USERS.get(login)
             if hashed_pw and check_password(password, hashed_pw):
                 headers = remember(request, login)
-                return HTTPFound(location=came_from,
-                                 headers=headers)
+
+                if came_from is not None:
+                    return_to = request.route_url(
+                        came_from['route_name'], **came_from['route_kwargs'],
+                    )
+                else:
+                    return_to = request.route_url('home')
+
+                return HTTPFound(location=return_to, headers=headers)
+
             message = 'Failed login'
 
         return dict(
             name='Login',
             message=message,
             url=request.application_url + '/login',
-            came_from=came_from,
             login=login,
             password=password,
         )