SwfUpload doesn’t permit to upload things through authenticated methods, this is because it doesn’t pass the cookies needed to identify your users.
Partly this problem can be solved by using swfupload.cookies.js plugin. This plugins fetches all your cookies and passes them as POST arguments. This way you can get your authtkt cookie and use it to identify your user.
from webob.exc import *
from paste.auth import auth_tkt
if kw.has_key('authtkt'):
#by default it is usually configured to do not use the remote address
#otherwise you can fetch it from request.environ['REMOTE_ADDR']
remote_addr = '0.0.0.0'
#cookie secret is usually defined in your config/app_cfg.py
#as base_config.sa_auth.cookie_secret or in your development.ini
cookie_secret = "some_random_string_like_BQQP+BeyrTzTHClBCEdW"
try:
data = auth_tkt.parse_ticket(cookie_secret,
kw.get('authtkt'),
remote_addr)
username = data[1]
user = DBSession.query(User).filter_by(username=username).one()
except:
raise HTTPBadRequest
filename = kw['Filename']
file = kw['Filedata'].file
By using this code you can fetch the user that is uploading the file. This requires the method to do not use @require decorator to check for user permissions, as you will know the user only after entering the method. But you can create your own predicate if you really want to use @require.