-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
implement a session framework #86
Comments
@pjz implemented http basic and digest at some point. We need cookie auth and a consistent documented interface to the whole. |
This adds a couple simple auth checks to the core request handling code in website.py that don't depend on the hooks infrastructure, and a configurable cookie authentication system that does depend on hooks. Needs to be documented, and the method for turning auth "on" is much too coarse.
I think the interface should be the existing hooks interface. Also, hook filters (aspen.hooks.filters.*) can then be used to control what does and doesn't require authorization. |
My concern with using the existing hooks interface is that users will inadvertently open up a security hole. We want to turn off caching for all authenticated requests, and we don't want users to be able to turn that on. |
Maybe a wrapper for auth hooks that turns off the caching? so your hook is like: filter(dont_cache(auth_hook(...))) |
replaced by #139 |
This adds a couple simple auth checks to the core request handling code in website.py that don't depend on the hooks infrastructure, and a configurable cookie authentication system that does depend on hooks. Needs to be documented, and the method for turning auth "on" is much too coarse.
No description provided.
The text was updated successfully, but these errors were encountered: