Hi everyone!

I'm pretty new to Pyramid, with previous Django/Pylons experience,
right now I'm trying to setup the authentication/authorization scheme
for my application. Actually I have SessionAuthenticationPolicy +
ACLAuthorizationPolicy + pyramide_beaker for sessions and caching
running just fine, there's however one detail that worries me.

It seems that any authentication/authorization processing is performed
after looking up the context/view for the current request, and only if
the view defines any permission requirement (correct me, if I'm
wrong). This means, that invalid URL would result in 404 even for the
user which is not authenticated. I'd really prefer e.g. every URL
below http://my.domain.com/admin/ to require authenticated user (and
redirect to login page otherwise), no matter if it maps to existing
view or returns 404. Otherwise attackers can try various URLs to e.g.
discover the database record IDs (if they appear in the URLs, of
course).

With my limited Pyramid experience I see 2 options so far, but I'm not
entirely happy with them:

a) create own WSGI middleware (or Pyramid Tween, but I'm not familiar
with them yet) wrapping the application, performing actual
authentication, redirecting to login page if no user is logged in. I'm
not happy about this option, as it's basically reinventing the wheel.

b) register a custom view handling 404 situation, that would redirect
to the login page if no user is logged in, or show actual 404 message.
I'd also need something similar for "forbidden view". This seems like
mixing layers - I don't want authentication-related stuff in my views.

How to do it properly? I'm pretty sure there would be many other ways
to do it (hooks, perhaps?), yet I'm really time limited in my
research. Any recipes, examples, etc. more than welcome :)

Thanks!
(and forgive my English)

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/pylons-discuss?hl=en.

Reply via email to