Hi Jon,
Replies inline:
On Fri, Nov 7, 2008 at 1:24 AM, Jon Hancock <[EMAIL PROTECTED]> wrote:
>
> In Merb:: Authentication, the default implementation of authenticated?
> is:
> def authenticated?
> !!user
> end
>
> This of course follows the default behavior of loading the user from
> DB every time authenticated? is called, which is every page rendering
> if you are following basic auth protections. This is highly
> inefficient and I would like to understand why it works this way
This in no way fetches the user from the database each time. The user is
fetched from the session once if they are present. Lets take a look at the
"user" method:
def user
return nil if !session[:user]
@user ||= fetch_user(session[:user])
end
You can see there that the user is cached from the db into the @user
instance variable. You can use it as much as you like and it will only be
loaded from the database once.
It's a good idea to trace the code execution stack to find out what it's
doing to make sure it's doing what you think it is.
>
> The user's id is stored in the session object. It is only necessary
> to check if this id is set to know if the user has been
> authenticated. It is not necessary to load the user object until
> later when/if other app behavior demands it.
>
> I would submit a patch, but when I look at other auth code in auth-
> more and the password-slice, I think I would break things. I find
> some of the auth code a bit too highly factored for a newbie to touch.
>
> In addition to this inefficiency, I find that when I need to login a
> user from other than the slice behavior (for example, a user activates
> his account and I want to auto-login as part of the success of the
> activation) the most straightforward thing to do is call "session.user
> = my_newly_activated_user". This works, but in a refactored world
> where you rely on the user's session id to be set, you would also want
> the default user= method to also set the session user_id and not wait
> for the session object to get serialized to do so.
Again... Lets take a look at the method that looks after this.
def user=(user)
session[:user] = nil && return if user.nil?
session[:user] = store_user(user)
@user = session[:user] ? user : session[:user]
end
It certainly does set the session information when you use user= so I'm not
sure what the issue is.
If you want to use activation for you use may I suggest that you use the
activation slice.
http://github.com/ck/merb-auth-slice-activation/tree/master
This provides activation checks after authentication and is also compatible
with merbful_authentication and restful_authentication activation.
There is a lot of good info on setting this up in the projects README.
> thanks, Jon
I hope I've helped relive your concerns here.
Cheers
Daniel
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"merb" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/merb?hl=en
-~----------~----~----~----~------~----~------~--~---
