On Wednesday, December 24, 2014 1:52:53 PM UTC-5, Mike Orr wrote: > > I think I misunderstood what you meant. You mean to display the > current session (in which case it can pull it from 'request.session' > without knowing the session ID)? I do do that in some applications, > and that may be the easiest way here. > Actually, that might be a good idea to do with a debugtoolbar_panel.
But as for displaying other sessions or all sessions, I'm not sure I > want to do it in an /admin view, both to minimize the security > exposure and to avoid feature creep. I have other command-line > utilities so this would be just one more of them. > That's what I was talking about. It's often WAY easier to deal with than command line tools. For stuff like that, I handle the security two ways: 1. I use a toggle to determine if the tool's route + view will even be loaded. This lets me run it only on development. Using the twitter-bootstrap css framework, I can bang-out a view-only admin tool as fast as building a commandline script. 2. If I run it on production, I toss the URL behind a HTTP Browser Auth. This way one needs to have /Admin access (via the app, and possibly browser auth) AND a specific URL auth. This isn't a perfect solution, but it greatly minimizes potential access if I need to turn this on for 20 minutes. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
