Massimo: I don't know if this should be considered a bug, but it appears requires_login() redirects to default/user/login if a not-logged-in user accesses a page that requires login. The problem is if the log- in function is not with the default controller and/or not called "user", the redirect will send to a broken link.
I think the log in page is supposed to be overridden by setting auth.settings.login_url, but that doesn't seem to work for me.
