On Mon, 2011-02-28 at 10:06 -0500, Daniel Holth wrote: > I think the reasoning is that > > "Interpret the current user id from a cookie / kerberos > authentication / some key in the session" > > and > > "see whether the identified user exists in our system" > > should be in different layers. I agree this leaves me scratching my > head as to when the distinction is useful.
The distinction is useful when folks want to closely control user checking for performance reasons, ala http://docs.pylonsproject.org/projects/pyramid_cookbook/dev/authentication.html . That said, if we had it to do all over again, it would be different. See http://plope.com/pyramid_auth_design_api_postmortem - C > My first guess was 'the time between deleting a user from the > database and the expiration of an authentication cookie', except I > never delete users from my database, I would remove all their group > memberships instead. > > I am used to systems that allow any username to be logged in but don't > give any useful permissions unless that user actually has an account. > Think of passing REMOTE_USER from a single sign on system, or a system > that uses an openid as the userid. The application will only know > about a few of these users but they will be logged in whether or not > they exist in the application's database. > > While writing this example, perhaps this distinction could be used to > offer a 'create account' form to a user who had just presented a new > openid? I'm not entirely sure why that feature wouldn't just be a > special group. > > > > -- > You received this message because you are subscribed to the Google > Groups "pylons-devel" group. > To post to this group, send email to pylons-devel@googlegroups.com. > To unsubscribe from this group, send email to pylons-devel > +unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/pylons-devel?hl=en. -- You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com. To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en.
