granted, but discussing to fix this is like - kinda, please grant me a bit of exxageration - forcing a user to logout if the developer changes the password in the database. Identity verification (and the consequent "authorization") is meant to happen at a time "x" to enable accessing the app throughout an - optionally limited - period of time, spanning from x onwards. The concept is that if you alter the auth_user record at "x + 2" (or a membership to a group associated to that user) means that that user can't be IDENTIFIABLE and GAIN AUTHORIZATIONS at "x + 3", not that he shouldn't be able to use the app from "x + 2" onwards. On "x + 1" his login and permissions were available. Maybe the concept to push forward for those kind of strict security requirements is - at most - to re-verify identification and authorizations once in a while (optionally), as opposed to the current behaviour that is to keep the sessions alive indefinitely if the user is continuosly using the app.
On Wednesday, April 15, 2015 at 9:14:12 PM UTC+2, Leonel Câmara wrote: > > I really don't know how to put it without hurting anyone's feeling, but >> the mere fact is that ATM sessions are NOT tied to users > > > Ahahah I realize that, but when you have authentication they end up being > tied to the user indirectly in the user variable stored there. > > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
