Hi All, The concern - "the user has resisted as the user name group:editors" has come up before in this thread https://groups.google.com/forum/#!topic/pylons-discuss/am0mwyLOZ0w and I also hit it as well today.
It is really easy write a vulnerable authentication configuration if decide to use the features of CallbackAuthenticationPolicy. The thread above suggests to prefix user names with "user:" I suppose in security.remember(...) but that wont help you with BasicAuthAuthenticationPolicy which makes the direct assumption that the credentials username is going to be your userid. I think the callback feature is too problematic, it is not mentioned in the narrative docs which actually recommends overriding effective_principals with a new class. That is a far better solution. Perhaps the callback feature should be depreciated? given that it looks to be a convenience feature that requires a lot more thought and that the more advanced implementation is the one is the suggested one from the narrative docs. Happy to file a bug if there are others that agree. - Adam -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/4a1798f8-488f-4c20-b62a-544b8d1dd23f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
