Authentication and authorization are needed for almost any non-trivial application. The trouble is that many people have different needs. TurboGears Auth/Auth should have the following features:
- an SQLObject data model that handles users with roles and mappings from roles to permissions
- ability to use other data models/protocols (none need to be implemented... it just needs to be possible)
- ability to use basic or cookie auth with a login screen
- no use of session variables
- ability to require authentication for part of the site
- ability to require authentication for a single method
A separate ticket will cover creating a basic administration interface for users.
It will be good to look at work already done, particularly in the context of CherryPy?. The best known work on auth in CherryPy? appears to be MultiAuth.
PyProtocols may be an important part of this in a couple of ways: 1) it will make it easier to adapt someone's data model to whatever is needed for TurboGears auth, 2) the generic function dispatch functionality can be very useful for setting up more complicated rules. Phillip Eby has done a lot of work on PEAK authentication, so it's worth looking at for ideas if nothing else.
