I'm really sorry.... I'm looking for an answer to this question: 2) I saw what auth.settings.allow_basic_login = True does (and auth.basic()) and it "allows" the basic authentication in addition to the default auth (also with disabled actions). Maybe the default auth can be shut down totally?
That is quite clear, I guess... I can't find a way to shut down default auth and leave only basic auth as the default method for login let's explain in other words the other "feature request" instead... I don't know in deep all the auth module, but (at least for me) is the one that is less "usable" when you create web services. what I'm asking is the best way (i.e. the less error prone way) to have the auth decorators to return/raise an http status instead of raising a redirect to login page or the "user" controller. Right now it seems that you can configure quite all, but all you can configure is where the user will be redirected when the authorization fails.... If you want to create an interface to a web api, maybe a REST one, you rarely need to redirect someone to the login page if he is not a valid user, nor you need to redirect him if he is a valid user without the permissions to access a particular controller/resource...you just tell him it's not authorized (the "recommended" behaviour would be to raise a 404). Going by hand to patch the auth module substituting all redirects to something else or creating a new one from scratch seems a little bit a long catch...maybe who planned and coded the auth module will figure out a "smart" way to enable this behaviour...and I think that web2py will be a good contender to django-piston or other frameworks of choice when you are going to create a web [RESTful] API.
