for once, I do not came with a “technical” question but rather with an architectural/structural question.
I’m currently building a web-plateform, there is a public zone and a private zone.
all URLs are handle by a process which have to check which ressource is request and then redirect the request to the correct process.
Most of time, the process is just to check if the requested page is available and public.
If it’s not available, the pageHandler process thrown an HTTP Error document depending of the error.
If the page is a private page, the pageHandler process request for authentication and the OAuthHandler do his job.
Now, I’m wondering one thing. Do I have to protect my private pages individualy with an authentication process in it or can I leave them like that?
It will depend on how fine-grained you want your access control to be. Are all private pages editable by anyone who is authenticated? Or do you want further restrictions (e.g. that a page can only be edit by the person that created it)? Are there going to be different classes of users, with different privileges?
If you are trying to build yet another web application framework, I suggest that you first check if one of the existing ones fills your needs. There are many different choices, from microframeworks like bottle, flask and web.py to large ones like django, web2py and zope.