On 04 September 2002, Jonathan Corbet said: > Regarding Greg's thoughts on user authentication: if request.session.user > changes, I could end up with (another) cleanup job to do. Best to do that > before 1.0 if you're going to - or wait for 2.0. My thinking is to make any backwards incompatibility there purely theoretical -- ie. right now Quixote makes no demands on what you put in session.user, and that wouldn't change. It might *expect* to find an instance of some new Quixote-provided User class, but I would try fairly hard to make Not A Big Deal if apps don't play along with the new rules. The session management changes with 0.5 were somewhat painful because there was an existing session API that needed repair. Introducing an access control API should be much smoother, because there's nothing there to speak of now. Greg -- Greg Ward - software developer gward@mems-exchange.org MEMS Exchange http://www.mems-exchange.org