Hi, >First, I think Identity has a good syntax for checking authorization, >and if we can keep that syntax but have a more plugable backend we'll >be in really good shape. > > I agree, apart from one thing. It would be really helpful to be able to set authorization controls on a whole controller. This gets away from the worry that you'll forget the decorator on an admin function and leave the site vulnerable.
Beyond that, my main need is pluggable authentication. I use Integrated Windows Authentication on most of my sites, and at the moment I'm hand-rolling authorization. >Second, Authentication and Authorization should probably be split out >into separate packages. > I'm so-so on this. If they are separated, we need to have good glue, so the solution scales down to simple projects without too much boilerplate. Don't see a pressing reason to separate, unless we're set on using two libs that are currently separate. >TurboPeakSecurity is another option, that we can consider, but I don't >want to make it the default in tg2 just yet. > > That sounds sensible. I guess the main question is: do we have a clear idea what flexibility TPS offers over Identity? If there's something compelling it may be worth the churn. BTW, on recruitment, I am interested in contributing in this area, but I see work on SQLAlchemy integration as higher priority for now. Take care, Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
