The TurboGears Identity module makes it easy to add authentication/authorization logic to your project.
You can modify the identity classes in model.py to add new features; however you shouldn't remove columns or you could break your identity code.
Identity provides mechanisms to restrict access to particular controller methods via the @require decorator.
You can use SecureResource to restrict access to an entire class (and therefore an entire web directory).
You can use Identity checks from within your Kid templates, to custom generate pages based on user permissions.
TurboGears makes escaping text that goes into your HTML the default, so you have to do a little bit of work to write code that could expose a cross site scripting attack.
TurboGears automatically escapes data that you are sending to your database, making SQL injection attacks that much harder
You can still write insecure applications with TurboGears if you bypass automatic escaping mechanisms or execute user data in any way. TurboGears isn't designed to prevent you from writing insecure code, but it is designed to make doing things the right way easier.