On Wed, Oct 15, 2008 at 11:03 AM, Steven <[EMAIL PROTECTED]> wrote: > > I'm a newbie trying to get a grasp on what options I have for > Authentication and Authorization. From reading the docs and the > pylonsbook.com I've found 2 options so far: > > repoze.who (ported from Zope) > AuthKit (work in progress? ) > > Are there others?
Building your own is popular. I have a login form and a two-mode authentication that uses LDAP or a database depending on the username's syntax. I have several classes called Permsets ("permission sets") with boolean attributes to describe what permissions a type of user has. Then I have a require_perm() function that takes the expected permission name and arguments, and aborts 403 if forbidden. My base controller has a .__before__ that does authentication, and controllers can have a class attribtute describing the most lenient permission common to all the actions. Then individual actions can do more restrictive tests; e.g., can the user view or edit a particular database record? A companion function has_perm() tells whether something is alllowed, which tells me whether to generate links to restricted pages. If you want to use Basic Authentication rather than a login form, you have to look up the proper HTML statuses and headers to trigger it. That's where repoze.who and AuthKit come in especially handy because they do all that for you. -- Mike Orr <[EMAIL PROTECTED]> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to pylons-discuss@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---