On Wed, Jul 8, 2009 at 8:56 AM, Yarko Tymciurak<yark...@gmail.com> wrote: > > > On Wed, Jul 8, 2009 at 1:55 AM, Yarko Tymciurak <yark...@gmail.com> wrote: >> >> On Wed, Jul 8, 2009 at 1:45 AM, Hans Donner <hans.don...@pobox.com> wrote: >>> >>> Hi All, >>> >>> yarko, are you carrying an ID? So if I want to know who you are you >>> show me your ID aren't you? >> >> I present those to log in; I don't use those to say "I decide I am >> authorized!"
Exactly, but you ask the user to present the token - on which you base your decission. in the @user.is_loggedin case, the user object can get that token from the authority (and is thus acting as a proxy for auth). In my opinion, using @auth or @user is not perse that one wins over another - it depends on the philosphy and implementation behind it. > Actually, if I'm KGB or CIA, and carry a weapon, I suppose I would say "I > decide I am authorized...", I just don't think that's the model appropriate > for web authentication ;-) That's what happens if you use a framework you don;t trust or behave badly yourself... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
