Yes, that's what I have done and I got the logged in user's id. My colleague just got an excellent idea of exposing a json api in our web2py app for checking permissions. Then tornado handlers can query permissions through http and we don't have this problem. I just wonder if there are some security issues here...
Thanks for being active on this anyways!
