On Mon, Jun 21, 2010 at 2:34 AM, karantan <[email protected]> wrote: > I have been developing in pylons for about one year and half and since > then i always wish that we had our own built-in auth system like > django has it. (i know this will not happen). > with every project i wrote my own auth system (because i do not like > repoze - for simple projects it's an overkill and for big project you > can not modify it easily) so i was wondering if you could tell me > where should i be careful for security wholes. > > at login post (if success) i put user_id in session and then i secure > every action with decorator. that decorator checks if the user is > signed in (if there is user_id in session) and if that user has > permission for that action. > > because of its simplicity i fell that it needs a bit of security > touch. if you look at repoze.who&what or any other auth lib there is a > ton of code so there is got to be a reason for that.
The Pylons auth recipes are here. There's three homegrown ones and two articles about Repoze. They're similar to what you're doing, which should be some reassurance. http://wiki.pylonshq.com/display/pylonscookbook/Authentication+and+Authorization -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
