In my application, authenticated_userid() is just the integer primary key of
the user table stored in an auth_tkt cookie. It does not consult the
database at all. I do not remove users from the database, but they have an
'is_active' flag which controls whether they are allowed to log in.
The effective_principals callback is pretty much
return [str(group) for group in
which could be only 1 query by eagerloading the groups, but I don't mind
Since the sqlalchemy session for the request keeps an identity
map<http://martinfowler.com/eaaCatalog/identityMap.html>of all objects
fetched during the transaction,
sqlalchemy_session.query(User).get(authenticated_userid(request)) is a dict
lookup, not a SQL query, during the remainder of the request.
Hey look, here's the source:
Repoze-dev mailing list