6.1.2.3 Authentication

At every traversal step, the Publisher handler checks for presence of an __auth__ attribute. If found, it will be called with three arguments - the Request object, a string containing the user name and a string containing the password. If the return value of __auth__ is false, then HTTP_UNAUTHORIZED is returned to the client (which will usually cause a password dialog box to appear).

If there exists an __auth_realm__ string, it will be sent to the client as Authorization Realm (this is the text that usually appears at the top of the password dialog box).

Since functions cannot be assigned attributes, to protect a function, an __auth__ function can be defined within the function, e.g.:

def sensitive(req):

    def __auth__(req, user, password):
        if user == 'spam' and password == 'eggs':
            # let them in
            return 1
        else:
            # no access
            return 0

    # something involving sensitive information
    return 'sensitive information`

The most common use will probably be defining an __auth__ function and an __auth_realm__ string at the module level.

NOTE: In order for mod_python to call the __auth__ function, the module must first be imported. Therefore, any module-level code will get executed during the import even if __auth__ returns false. To truly protect the module from being accessed, use other authentication mechanisms, e.g. the Apache mod_auth or with a mod_python PythonAuthenHandler handler.