Short Question If I write my own security layer, will I lose anything? forms, widgets, catwalk?
Thanks Alvin Long explanation No offense to Jeff - As mentioned, I just want to do things differently. http://nerd.newburyportion.com/2005/11/creating-your-own-identity-model I was looking through the Identity code and it is really interesting. It looks like it should be able to do the things I want but it is not documented yet. 2 problems - 1) I don't like the way it currently works I want to be able to say @identity.require(module=forums, rights='create') or @identity.require(module=forums, rights='owner') I want my ACLs in the DB so I can admin without editting code. 2) It is not DRY I will pull the access list from my DB. I would rather use the cherrypy session filter in the spirit of DRY. I was reading the Cherrypy email list and they are working on maintaining sessions via URLs. I saw that Jeff was concerned about the scalability of sessions. He was thinking about writing an identity cache. I think it would make more sense to just have a session cache is that would make it faster. I want to leave the session layer in Cherrypy where they are doing lots of cool work and building lots of options. They have a new sessionauthenticate filter in the latest release. From http://www.cherrypy.org/trunk/docs/book/chunk/ch03s03.html#id3282446 3.4.1.12. sessionauthenticatefilter The sessionauthenticatefilter provides simple form-based authentication and access control. The Cherrypy people have done a lot of work. They have solved the problem of losing Get parameters when logging in. Contention when 2 processes try to write to the session at once. Etc I need session anyway for a number of things. I want to track referrals when people have not logged in. How long people are logged in. Etc. Cherrypy has a lot of the hooks built in already. It seems like I can just write a simple security decorator to drop on top of the Cherrypy goodness. Am I crazy and missing something? Thanks again,
