Adam, I'd be interested in reviewing a PR that (at least) docs-deprecated the feature. By this I mean removing most info about it from the docs and pointing people at the subclassing approach - but without actually changing the code. I've already changed at least one example in the Pyramid docs to recommend the subclass approach [1] and I agree that it should be recommended everywhere. As far as actually deprecating the CallbackAuthenticationPolicy and callback argument to the policies with future removal of that code, I do not mind if that is done but it would need to be done carefully and with good documentation. If that's something you're interested in, I welcome the PR! Obviously others are welcome to object to removing the feature entirely. The best time to do it would be *right now*. We'd deprecate it in 1.10 and remove it in 2.0 as we're planning to do with pickle-based sessions [2].
[1] https://docs.pylonsproject.org/projects/pyramid/en/1.9-branch/narr/security.html#extending-default-authentication-policies [2] https://github.com/Pylons/pyramid/pull/3353 On Fri, Sep 21, 2018 at 4:16 AM Adam Terrey <[email protected]> wrote: > Hi All, > > The concern - "the user has resisted as the user name group:editors" has > come up before in this thread > https://groups.google.com/forum/#!topic/pylons-discuss/am0mwyLOZ0w and I > also hit it as well today. > > It is really easy write a vulnerable authentication configuration if > decide to use the features of CallbackAuthenticationPolicy. The thread > above suggests to prefix user names with "user:" I suppose in > security.remember(...) but that wont help you with > BasicAuthAuthenticationPolicy which makes the direct assumption that the > credentials username is going to be your userid. > > I think the callback feature is too problematic, it is not mentioned in > the narrative docs which actually recommends overriding > effective_principals with a new class. That is a far better solution. > Perhaps the callback feature should be depreciated? given that it looks to > be a convenience feature that requires a lot more thought and that the more > advanced implementation is the one is the suggested one from the narrative > docs. > > Happy to file a bug if there are others that agree. > > - Adam > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/4a1798f8-488f-4c20-b62a-544b8d1dd23f%40googlegroups.com > <https://groups.google.com/d/msgid/pylons-discuss/4a1798f8-488f-4c20-b62a-544b8d1dd23f%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwFp1Xg9wu92uETyr9rXB9XcFHWb0KhashBEtUrCXY-0%2BA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
