I think the problem is that Auth creates an object called "auth" in the session, and the name of this session object is fixed. So, once someone logs in with one of your Auth instances, the other instance will pull the "auth" object from the session and think they are logged in with that instance as well. I suppose we could add the ability to customize the name of the session object to avoid this problem (though not sure there wouldn't be other problems with this approach). Anyway, this is exactly what the roles and permissions aspects of the Auth system are designed to address. Why not just create "user" and "partner" roles and use @auth.requires_membership(...)?
Anthony On Saturday, April 13, 2013 12:32:36 PM UTC-4, David Ripplinger wrote: > > In my project, it makes a lot of sense to have two separate databases: one > for the users of the app and another for partners who pay to advertise to > those users. The data they manipulate are completely different sets. I have > created an auth object (named auth) for the users database (called db) and > another auth object (named authp) for the partners database (called dbp). I > want all users stuff to be under the url myapp/default and all partners > stuff to be under the url myapp/partners. > > The problem is that the app is mixing the two types of user accounts > together in two ways: > > 1. If I create a user account and a partner account with the same > credentials, then signing into one allows access to the pages restricted > by > the other (and yes, I changed the decorators to @authp instead of @auth > for > the partners pages). This is especially bad without email verification > (which I have not implemented yet), since someone can register as a > partner > under the same email as an already existing regular user but with a > different password. This would allow someone else to hack the user's > account. > 2. All the redirects are messed up. Usually, after registering or > signing in, unless the URL specifies a different redirect explicitly, > things always redirect back to the user account and never to the partner > account page. > > How should I be handling this properly? Any tips for having two very > different types of users are much appreciated. > > An alternative I would be happy with is actually making two separate apps, > but I'm not sure how to exchange some database information between them. > Can one app access the database of another app? Does it matter if I'm > currently using sqlite? > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
