In my application, authenticated_userid() is just the integer primary key of the user table stored in an auth_tkt cookie. It does not consult the database at all. I do not remove users from the database, but they have an 'is_active' flag which controls whether they are allowed to log in.
The effective_principals callback is pretty much return [str(group) for group in request.sqlalchemy_session.query(User).get(authenticated_userid(request)).groups] which could be only 1 query by eagerloading the groups, but I don't mind doing 2. Since the sqlalchemy session for the request keeps an identity map<http://martinfowler.com/eaaCatalog/identityMap.html>of all objects fetched during the transaction, sqlalchemy_session.query(User).get(authenticated_userid(request)) is a dict lookup, not a SQL query, during the remainder of the request. Hey look, here's the source: https://bitbucket.org/dholth/stucco_auth/src/stucco_auth/security.py Daniel Holth
_______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
