Hi everyone! I'm pretty new to Pyramid, with previous Django/Pylons experience, right now I'm trying to setup the authentication/authorization scheme for my application. Actually I have SessionAuthenticationPolicy + ACLAuthorizationPolicy + pyramide_beaker for sessions and caching running just fine, there's however one detail that worries me.
It seems that any authentication/authorization processing is performed after looking up the context/view for the current request, and only if the view defines any permission requirement (correct me, if I'm wrong). This means, that invalid URL would result in 404 even for the user which is not authenticated. I'd really prefer e.g. every URL below http://my.domain.com/admin/ to require authenticated user (and redirect to login page otherwise), no matter if it maps to existing view or returns 404. Otherwise attackers can try various URLs to e.g. discover the database record IDs (if they appear in the URLs, of course). With my limited Pyramid experience I see 2 options so far, but I'm not entirely happy with them: a) create own WSGI middleware (or Pyramid Tween, but I'm not familiar with them yet) wrapping the application, performing actual authentication, redirecting to login page if no user is logged in. I'm not happy about this option, as it's basically reinventing the wheel. b) register a custom view handling 404 situation, that would redirect to the login page if no user is logged in, or show actual 404 message. I'd also need something similar for "forbidden view". This seems like mixing layers - I don't want authentication-related stuff in my views. How to do it properly? I'm pretty sure there would be many other ways to do it (hooks, perhaps?), yet I'm really time limited in my research. Any recipes, examples, etc. more than welcome :) Thanks! (and forgive my English) -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
