The reason I picked Pylons is precisely because it's not polluted with all-size-fits-all solutions for trivial problems. Coding an authentication from scratch takes less than an hour: with "remember me" feature, bcrypt-based hashing, password recovery, etc. And you have to do it just once during your "Pylons career" and carry over from one app to another.
Frameworks should concentrate on making mundane and repeating tasks easy or even abolish them altogether. User authentication isn't one of those tasks: it's done only once per project and every project may need it to be slightly different, hence it's neither mundane nor particularly repeating. What Pylons really needs is a solid replacement for FormEncode. The current situation calls for incredible amount of boilerplate. Coming from Rails background I despise the notion of form classes. There's gotta be a way for converting form input into neat dictionaries (and back) without adding another player (Form class) to MVC. Just my $0.02 -- Ev On Mon, Jun 21, 2010 at 5:34 AM, karantan <[email protected]> wrote: > Hi > > I have been developing in pylons for about one year and half and since > then i always wish that we had our own built-in auth system like > django has it. (i know this will not happen). > with every project i wrote my own auth system (because i do not like > repoze - for simple projects it's an overkill and for big project you > can not modify it easily) so i was wondering if you could tell me > where should i be careful for security wholes. > > at login post (if success) i put user_id in session and then i secure > every action with decorator. that decorator checks if the user is > signed in (if there is user_id in session) and if that user has > permission for that action. > > because of its simplicity i fell that it needs a bit of security > touch. if you look at repoze.who&what or any other auth lib there is a > ton of code so there is got to be a reason for that. > > best karantan > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<pylons-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
