MultiAuth News
I have not forgotten MultiAuth, my little authentication/access control library for CherryPy. It has been working for me so I haven’t made any changes recently, but I have had some ideas that I have been playing with.
The main thing I have been fiddling with in my spare time is converting it to a CherryPy filter. Turning it into a filter will help clean up the code somewhat, separating the role-setting behavior from the role-checking behavior. Currently, it uses one massive decorator to assign and check roles on methods. Eeewww… 
However, I want to be sure that roles can continue be specified in the code using decorators. Since filters know nothing about the actual method that was just called, simply setting attributes on the method won’t cut it. My current idea is for the decorator to wrap the method such that it returns a SecuredResource object. Basically, it will have two attributes; roles and data. The filter will check that the current user has at least one of the roles specified in the SecuredResource object and then act appropriately. It will then set cherrypy.response.body to the contents of the SecuredResource data attribute.
Beyond just setting the required roles with decorators, I’d like to maintain API (if you can call it that 
) compatibility with the current version of MultiAuth.
I’m pretty close to both of these goals, but I just need a nice block of time to finish it up. After it is converted to a filter, my next goal will be to add support for multiple authentication front ends. It already has a pretty simple way to add support for new back ends, so support for multiple front ends (forms based, browser based, etc?) would give the developer even more flexibility.
In other news, it looks like fine folks at TurboGears are considering MultiAuth for use in their megaframework. Pretty neat.
cw