Secure Controller not working with ldap demo code

Asked by

I used the demo example given with the ldap plugin and then I wrote a simple secure controller like this:

class SecureController(BaseController):

    allow_only = not_anonymous(msg='')

    def check(self):
        return 'Inside'

and my predicate is:
class is_a_manager(Predicate):
    message = 'You do not have enough privileges to access this resource'

    def evaluate(self, environ, credentials):
        for (key, value) in request.environ['repoze.who.identity'].items():
            if key == "x-PrivilegeName" and "manage" not in value:

Now :

Everytime I navigate to /about, login and then navigate to this url(/secc/check), it returns a login page and the log says:
"2010-04-20 20:25:51,430 Authorization denied: The current user must have been authenticated" but the user has already been authenticated in the first step. This does not happen if I remove the "allow_only = not_anonymous(msg='')" in the secure controller.

Any ideas why ?

Question information

English Edit question
repoze.who LDAP plugin Edit question
Gustavo Narea Edit question
Solved by:
Last query:
Last reply:
Revision history for this message
Gustavo Narea (gnarea) said :


That sounds really strange and I cannot reproduce it. :/

What version of repoze.who are you using? repoze.who 2.0 isn't supported yet.

Can you please also post all the relevant output you get in your terminal, starting with the initial/successful authentication?

 - Gustavo.

Revision history for this message (spice.abhi) said :


The demo code wraps the Tg2 middleware with who only and not what. The predicate checks for authorization also and hence it was failing. This is what I did to fix it.

# Configuring the plugins
ldap_auth = LDAPAuthenticatorPlugin('ldap://testing.example.pvt',
ldap_attributes = LDAPAttributesPlugin('ldap://testing.example.pvt')
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
form = FormPlugin('__do_login', rememberer_name='auth_tkt')
form.classifications = { IIdentifier: ['browser'],
IChallenger: ['browser'] } # only for browser
identifiers = [('form', form),('auth_tkt',auth_tkt)]
authenticators = [('ldap_auth', ldap_auth)]
challengers = [('form',form)]
mdproviders = [('ldap_attributes', ldap_attributes)]

# Using the default repoze.who classifiers:
from repoze.who.classifiers import default_request_classifier, \

def make_app(global_conf, full_stack=True, **app_conf):
    base_app = make_base_app(global_conf, full_stack=True, **app_conf)
    #Wrap your base turbogears app with custom middleware
    app_with_auth = setup_auth(base_app, None, None, # No groups & permissions
    return app_with_auth

After this I was able to use the predicates for my controller. But I am unable to do the same using the who.ini method which I prefer over the programmatic way.

Revision history for this message (spice.abhi) said :

Closing the question.