On Aug 9, 5:14 am, huimies <huim...@gmail.com> wrote: > Yes, that's what I have done and I got the logged in user's id. > > My colleague just got an excellent idea of exposing a json api in our > web2py app for checking permissions. Then tornado handlers can query > permissions through http and we don't have this problem. I just wonder > if there are some security issues here...
it depends... you can always restrict access to the json API to your app.