This token has no meaning outside this particular policy, and this
policy is inserted in a pyramid_multiauth stack.
So we must return the actual userid, and since both functions should
return the same thing, I feel we have to access the db in
unauthenticated_userid, although it is not meant to.
Unless of course if we consider that returning None in
unauthenticated_userid and an actual userid in authenticated_userid is
an acceptable behavior.
To summarize, the question is, which of these behavior is the least
acceptable?
- unauthenticated_userid returns None while authenticated_userid returns
something
- unauthenticated_userid access the database
My feeling is that accessing database is the lesser of two evil, but I
would like some confirmation.
Christophe