On 12/21/05, Alvin Wang <[EMAIL PROTECTED]> wrote: > 1) I don't like the way it currently works > I want to be able to say > @identity.require(module=forums, rights='create') > or > @identity.require(module=forums, rights='owner') > I want my ACLs in the DB so I can admin without editting code.
Something that Jeff and I have talked about that is missing from identity right now is the notion of the context that a specific permission is being requested for. This is what you're looking for... (it's also application-specific, so it would always require some sort of plugin that identity would poll to check on the context). > 2) It is not DRY > I will pull the access list from my DB. I would rather use the > cherrypy session filter in the spirit of DRY. I was reading the > Cherrypy email list and they are working on maintaining sessions via > URLs. > > I saw that Jeff was concerned about the scalability of sessions. He > was thinking about writing an identity cache. I think it would make > more sense to just have a session cache is that would make it faster. I admit that i'm still not as well-versed in the identity code as I'd like to be. Just moving something from the database into the session is not necessarily going to make things faster (it depends on how the session is managed). The notion with using a cookie rather than a session is that a signed cookie *should* allow you to verify the user *without* querying the database. > I want to leave the session layer in Cherrypy where they are doing lots > of cool work and building lots of options. They have a new > sessionauthenticate filter in the latest release. While sessions *can* be used for authentication, there does not *have* to be a link between sessions and auth. For a great many applications, using sessions is just fine. But, the advantage of a signed cookie (if implemented well) is that you get the "shared nothing" principle that allows you to easily scale upward just by tossing another box behind a load balancer. > It seems like I can just write a simple security decorator to drop on > top of the Cherrypy goodness. Am I crazy and missing something? You certainly can do this. My hope with identity is not that it will meet *every* need through included code (because that is truly impossible), but that it will have ample plug points to meet every security-related need by plugging in code that does the right things. identity is not much concerned with things *beyond* security which could be stored in your database or a session. Kevin -- Kevin Dangoor Author of the Zesty News RSS newsreader email: [EMAIL PROTECTED] company: http://www.BlazingThings.com blog: http://www.BlueSkyOnMars.com
