Lethalman wrote:
I think there should be this kind of hierarchy (when i say "model"
don't relate it to sqlobjects):
Authorizations:
1) Abstract auth models
2) Various auth models (basic auth, digest auth, session-based auth,
cookie-based auth)
I suggest that the term "auth" should be thoroughly banned from any
discussion of authorization, authentication, and identification. I
might even suggest authorization and authentication are bad terms, and
instead identification and permission should be used. These two
concepts should be thoroughly separated, even if HTTP basic, Apache,
Zope 2, and some other systems conflate them.
The first thing to figure out is how identification should work.
Personally I think you should have:
* A username or user object attached to request, possibly None.
* An exception that means "login required", like a 401.
* An exception that means "permission denied", like a 403.
That's about it. The identification system should check the request for
anything identifying the user (IP address, HTTP Basic auth, a signed
cookie). It should catch the login required exception, and turn that
into a proper 401 response, login page, redirect to login page, etc.
Catch the permission denied exception and just say permission denied.
This makes permission systems fairly easy to implement, and you can
standardize that part later and entirely separately.
--
Ian Bicking / [EMAIL PROTECTED] / http://blog.ianbicking.org
