I'm using Turbogears 2.1 and repoze.who/what and am having trouble figuring out how to extend the basic authentication functionality. I am essentially attempting to require users to activate their account via an emailed link before they can login. If they try to login without activating their account, I want to display an appropriate error message. The default Turbogears functionality simply displays one message for all errors.

I created my own authentication plugin which works fine. It won't allow users to login if they have not activated their account. However, the problem comes when I try to create the form and display custom error messages. How can I go about doing this?

Thanks

It's impossible to give a really good answer without seeing your actual code, but here's one idea:

1. Create a repoze.who metadata provider plugin that "scribbles" something that indicates whether the user has activated their account.
2. Create a "challenger decider" plugin that looks at both whether the user has authenticated, and also whether they have activated their account (by checking the metadata you set with the metadata plugin).
3. Create a challenger plugin to send back the actual challenge. If the user is not authenticated, send back a login form/prompt. If user is authenticated (your authenticator plugin succeeded), but they have not activated their account, send back a custom error page asking the user to activate their account.

In any case, read this page carefully.

You could also maybe use repoze.what with a custom predicate, but you'd probably have to sprinkle decorators all through your code, checking whether their account has been activated on every controller/method. Ugly.

Hope this helps!