In my application, authenticated_userid() is just the integer primary key of
the user table stored in an auth_tkt cookie. It does not consult the
database at all. I do not remove users from the database, but they have an
'is_active' flag which controls whether they are allowed to log in.

The effective_principals callback is pretty much

return [str(group) for group in
request.sqlalchemy_session.query(User).get(authenticated_userid(request)).groups]

which could be only 1 query by eagerloading the groups, but I don't mind
doing 2.

Since the sqlalchemy session for the request keeps an identity
map<http://martinfowler.com/eaaCatalog/identityMap.html>of all objects
fetched during the transaction,
sqlalchemy_session.query(User).get(authenticated_userid(request)) is a dict
lookup, not a SQL query, during the remainder of the request.

Hey look, here's the source:
https://bitbucket.org/dholth/stucco_auth/src/stucco_auth/security.py

Daniel Holth
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to