In the implementation of is_authorized, it’s absolutely possible to query some authorization repository, or any other completely arbitrary set of parameters (file existence, time of day, random bit stream, …). It’s a function – compute what you want.

And yes, if it makes sense for your app, it’s a great idea to put your auth code in a module that can be called from the is_authorized of many different resources. Reuse through modularity for the win!

The is_authorized function is one of the many Webmachine Resource Functions, all documented at http://bitbucket.org/justin/webmachine/wiki/WebmachineResources

The table on that page shows the default values for each of those functions which will be used if your resource function does not export it.

It is definitely possible (and not very hard) to do all of the things you ask, including checking auth with a database, using a single central auth function, and so on. However, Webmachine is a Web toolkit and not a framework — it makes no claims to know better than you what the “right” way is to make such application-specific decisions.

How does webmachine knows about is_authorized?
Does it check if it exists and exported and use it otherwise assume no auth is required?

Is it possible to authenticate users against credentials stored in a db and keep a session cookie?
Can I keep the actual auth code in one place and only call it from all the resources if required? Where is the right place to put such auth backend?

Thanks