hhyhqyq | . | 01:30 |
---|---|---|
greg-g | jrwren: Acer B243PWL | 01:38 |
_stink__ | rick_h_: you implemented your own sessions in bookie, right? didn't use some other session package? looking at code now. | 03:05 |
rick_h_ | _stink__: well it's in pyramid | 03:13 |
rick_h_ | look for 'remember' | 03:13 |
rick_h_ | _stink__: in views/auth.py | 03:14 |
_stink__ | ok yep, just saw that | 03:14 |
_stink__ | trying to digest | 03:14 |
_stink__ | thanks | 03:14 |
_stink__ | so that tells the browser to set a cookie for itself | 03:15 |
rick_h_ | _stink__: rgr, adds it to the header | 03:15 |
rick_h_ | _stink__: but yea, farmed out to pyramid security | 03:16 |
_stink__ | and ReqAuthorize is what checks for good credentials for whatever view callable needs it? | 03:17 |
rick_h_ | well, request.username is populated by parsing out the header and finding who the user is | 03:17 |
rick_h_ | look in bookie/views/auth.py: | 03:18 |
rick_h_ | errr from bookie.lib.access import RequestWithUserAttribute | 03:18 |
rick_h_ | that thing reads the user back out of the encrypted header, and then the lib/access.py uses a bunch of stuff to figure out if a user is auth'd or not for the given request | 03:19 |
rick_h_ | e.g. your header can't authorize you to delete another user's account | 03:19 |
_stink__ | rick_h_: silly question - how can i tell from the code that the headers sent back (generated by remember(), i think) are encrypted? i just don't see that in the code. | 03:26 |
_stink__ | i mean i obviously believe you just don't see it to understand it. | 03:26 |
rick_h_ | _stink__: so that's pyramid's job and the type of security you use in that. There's a key in the .ini file you use that is the key | 03:26 |
rick_h_ | auth.secret=PLEASECHANGEME | 03:26 |
rick_h_ | http://docs.pylonsproject.org/projects/pyramid/en/1.5-branch/quick_tutorial/authentication.html?highlight=remember%20secret | 03:28 |
rick_h_ | _stink__: see the auth policy setup in the bookie/__init__.py | 03:28 |
rick_h_ | http://docs.pylonsproject.org/projects/pyramid/en/1.5-branch/quick_tutorial/authentication.html?highlight=remember%20secret | 03:28 |
rick_h_ | errr crap | 03:28 |
rick_h_ | from pyramid.authentication import AuthTktAuthenticationPolicy | 03:28 |
rick_h_ | from pyramid.authorization import ACLAuthorizationPolicy | 03:28 |
_stink__ | ahhhhhhh great | 03:28 |
_stink__ | ok thanks so much | 03:28 |
rick_h_ | _stink__: np, thanks for the refresher :) but yea that built in code takes in the secret and uses it to encrypt so that only the server can decrypt | 03:29 |
rick_h_ | so obiously don't let that get out or people can build their own valid remember headers | 03:29 |
_stink__ | ok cool. and nothing special about this for API vs. plain old web session use, right? | 03:29 |
_stink__ | i mean they look the same. | 03:29 |
rick_h_ | _stink__: yea, just I don't use it to store data really | 03:30 |
_stink__ | right ok | 03:30 |
_stink__ | just valid or not | 03:30 |
rick_h_ | so I've not messed with trying to keep track of extra stuff, it's either "You're a good person" or not | 03:30 |
_stink__ | haha | 03:30 |
_stink__ | wow this is a puzzle of many parts | 03:38 |
rick_h_ | _stink__: yea, I had to think a bit to get it figured out again | 03:39 |
rick_h_ | it's the kind of thing you setup once and then don't look at again for a while | 03:39 |
rick_h_ | but be careful, bookie is part pyramid, part custom | 03:39 |
_stink__ | yeah i needed an example badly | 03:39 |
rick_h_ | so not sure it's the best overall example | 03:39 |
_stink__ | that's ok | 03:39 |
rick_h_ | but it does work :/ | 03:39 |
_stink__ | hah | 03:39 |
* rick_h_ wishes he could rewrite all his code every year to avoid that 'oh wtf was that...hmmm years ago' stuff | 03:40 | |
_stink__ | i see that the configurator is told to use RequestWithUserAttribute as request factory. but i can't tell why user() in RequestWithUserAttribute gets called. | 03:40 |
_stink__ | i think if i understand that i will be in a good place. | 03:40 |
rick_h_ | looking | 03:40 |
rick_h_ | oh! ok, easy. It's that @reify decorator | 03:41 |
_stink__ | does that mean it gets run on instance init and substituted right away? | 03:41 |
rick_h_ | it's a caching decorator that turns request.user into a call to user() at first, and then the cached value after that | 03:41 |
_stink__ | i can't see how user() gets called at all. | 03:41 |
rick_h_ | so anywhere you see request.user, it's hiting that once and then remembering it after that | 03:41 |
_stink__ | OH | 03:42 |
_stink__ | ok | 03:42 |
_stink__ | the attribute is enough | 03:42 |
_stink__ | fantastic | 03:42 |
_stink__ | an explicit call to the method isn't needed | 03:42 |
rick_h_ | https://github.com/Pylons/pyramid/blob/master/pyramid/decorator.py#L1 | 03:42 |
rick_h_ | yea | 03:42 |
_stink__ | haha, have that one open already | 03:42 |
rick_h_ | it's catching the __get__ (which is called when you do obj.property | 03:43 |
_stink__ | smart. love it. | 03:43 |
_stink__ | ok, now to sleep and let this soak in. | 03:45 |
_stink__ | thanks again. | 03:45 |
rick_h_ | _stink__: cool, let me know if you need a hand or second set of eyes on some code | 03:46 |
rick_h_ | morning | 14:26 |
cmaloney | Morning | 15:08 |
rick_h_ | cmaloney: added a show notes doc in the lococast folder fyi | 15:13 |
rick_h_ | cmaloney: sent the link to chris | 15:13 |
cmaloney | Woo woo | 15:23 |
cmaloney | We need more people bitching about OSS | 15:23 |
cmaloney | Then we can sell ads and make BIG INTERNET MONEY | 15:23 |
rick_h_ | bwuhahahaha | 15:31 |
rick_h_ | cmaloney: did you listen to the last "In Beta" had some good OSS complaining :) | 15:31 |
cmaloney | I haven't yet. | 15:32 |
jrwren | omg, watching my wife and 6yo play super mario wii is hilarious! its a laurel and hardy routine | 19:15 |
jrwren | i think i stopped listening to "In Beta" because of low signal to noise | 19:15 |
cmaloney | jrwren: You have a Wii or Wii U? | 19:15 |
jrwren | old wii | 19:16 |
cmaloney | (We have the Wii too) | 19:16 |
jrwren | you know how cheap i am, right? :) | 19:16 |
cmaloney | I'd send you my friend code but it's not like it does much. :) | 19:17 |
cmaloney | bbl | 19:17 |
jrwren | right. | 19:21 |
jrwren | i've never really used wii network internet or anything | 19:21 |
jrwren | i actually forgot that it even had a net connection until someone mentioned it recently. | 19:21 |
greg-g | rick_h_: what 2-3 sentences of info should I know before I buy a cross cut saw (I honestly only have a coping saw, actually two) | 20:36 |
greg-g | huh, looked up saws on wikipedia, got this USDA Forest Service book: http://www.fhwa.dot.gov/environment/recreational_trails/publications/fs_publications/04232822/toc.cfm | 20:36 |
rick_h_ | greg-g: you should know the size of the material you're cutting. Are you using bench hooks for cutting. Larger is easier to keep cuts straight and level. I use http://www.badaxetoolworks.com/16-inch-large-tenon-back-saw.html | 20:46 |
cmaloney | http://www.joyent.com/blog/the-power-of-a-pronoun | 22:19 |
cmaloney | I think we're going to have a lot of fodder for tomorrow. | 22:19 |
rick_h_ | heh, I'm staying away from it | 22:25 |
rick_h_ | I'll only get into trouble | 22:25 |
cmaloney | Now I'm really going to bring it up. ;) | 22:29 |
jrwren | during our meeting? | 22:31 |
cmaloney | During lococast. | 22:54 |
rick_h_ | I really like this thing http://antirez.com/news/64 and I asked Erica about it and my wife has set me straight | 23:46 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!