On 10/24/05, p <[EMAIL PROTECTED]> wrote: > 1. I've read somewhere that login control and acl control should be > separated. Is that correct and if so, why?
It's usually separated because there's the notion of "who are you" and then there's the notion of "what are you allowed to do". Who you are doesn't really change over the course of an application, but what you're allowed to do can. (And, if you've got security infrastructure to support it), "who you are" may be answered with the same code for many applications, whereas "what you're allowed to do" is much more application specific. > 2. Are there settled design (patterns) for implementing login > functionality? If, so, suggestions for resources to look at? (Perhaps > more generally, what is the general state of the art?) In TurboGears 0.8, you basically need to look at the CherryPy solutions for this. Jeff Watkins just checked in code for TurboGears 0.9 (see the various threads about "identity management") that will start to set the standards for TurboGears. > 2. Are there settled design (patterns) for implementing acl > functionality? If, so, suggestions for resources to look at? (Perhaps > more generally, what is the general state of the art?) The code Jeff checked in is designed to handle both parts of the picture. > 3. I assume I should use sessions from cherrypy to handle login, but > I'd like a little more finegrained control over the cookie > (specifically, I'd like to end a session after XX minutes of inactivity > and pop up a warning right before the expiration to allow the user to > refresh the session). Any suggestions (I'm not all that adept with > cherrypy yet, so perhaps I'm missing something)? I'm haven't looked closely enough at the details of Jeff's implementation to know where this one stands. You will be able to plug in your own code, if you want to do something special. Popping up a warning "right before the expiration" is going to require JavaScript of some kind. The easiest thing would be to have a common snippet of JavaScript code that looks at the cookie's expiration and sets up a timer to take some appropriate action when that time approaches. Note that if the user has multiple windows open on your application, each window will be taking that action without additional steps taken on your part. > 4. Is there a general framework(s) for acl in turbogears, and if so, > where? The code is under construction in svn (in the turbogears.identity package). You can take a look here: http://trac.turbogears.org/turbogears/browser/trunk/turbogears/identity/ Jeff posted a howto a couple days back: http://metrocat.org/nerd/2005/10/identity-management-for-turbogears Since this code is under construction, now is a great time to chime in with anything different you may need it to do. Since every project has unique needs, the code will not automatically do every project's needs out-of-the-box, but it should at least make it possible to plug in code that does the specific actions you need. Kevin -- Kevin Dangoor Author of the Zesty News RSS newsreader email: [EMAIL PROTECTED] company: http://www.BlazingThings.com blog: http://www.BlueSkyOnMars.com
