I've used the callback all along because it was Pyramid's original paradigm and later it seemed easier than subclassing the authentication policy. But my usernames are email addresses unless they're created by an admin, and I prefix the groups with "g:". But even if you don't use the callback I don't see how that helps you because they're still all thrown into the same string pot anyway for Pyramid's authorization, which is based on "principal" strings rather than groups. I've never understood the reason for that. But I was porting a Pylons application where I had to write my own group-based auth system because there was no expert-written auth framework, so I was glad to finally have one of those. On Fri, Sep 21, 2018 at 2:16 AM Adam Terrey <[email protected]> wrote: > > Hi All, > > The concern - "the user has resisted as the user name group:editors" has > come up before in this thread > https://groups.google.com/forum/#!topic/pylons-discuss/am0mwyLOZ0w and I also > hit it as well today. > > It is really easy write a vulnerable authentication configuration if decide > to use the features of CallbackAuthenticationPolicy. The thread above > suggests to prefix user names with "user:" I suppose in > security.remember(...) but that wont help you with > BasicAuthAuthenticationPolicy which makes the direct assumption that the > credentials username is going to be your userid. > > I think the callback feature is too problematic, it is not mentioned in the > narrative docs which actually recommends overriding effective_principals with > a new class. That is a far better solution. Perhaps the callback feature > should be depreciated? given that it looks to be a convenience feature that > requires a lot more thought and that the more advanced implementation is the > one is the suggested one from the narrative docs. > > Happy to file a bug if there are others that agree. > > - Adam > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/4a1798f8-488f-4c20-b62a-544b8d1dd23f%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout.
-- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DupFRwtnOgPDV5xNsUhLhU0PCgQ%2BCV0P89k1DCmuFOw0tA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
