Your authenticator class gets called every time a protected pipeline is accessed. If users need a certain role level, just check their role and return false if it's not sufficient.
No, the authenticator is only called once per session.
*shrug* well that was sort of what i meant - it didn't come out right in the email though :-))
So I'll just go back to sleep now.
Jorg
