[Zope-PTK] Membership Design

[Bill Anderson]

OK, after futzing around for a few weeks on the user management stuff, I have decided that
a redesign may be in order.



So, out of  curiousity, and as a proof of concept. I re-implemented the member mix-in, and
persistenusersource provided in the membership product.

I put roles, domains, listed, and password onto a propertysheet (of the DataSkin variety).
The password is stored encrypted. There is a 'downside' to this, in that you can't just
send someone their password. On the other hand, that means the password isn't in
cleartext.

Just for fun, I decided to add a members-only catalog; one that only members are index
into. And followed up with the CatalogTrigger addon. Now, I have the capability to search
for a user, and sen them a _new_ password if they should forget theirs.

The aspect of this that concerns me, is the roles being in a propertysheet. Just how
accessible to the user are these? IIUC, they can only change the properties if they have
permission. But this would theoretically mean they can change their own roles. This would
be bad. I'm not conerned about them accessing them through the management interfaces,
since those will have a seperate permission/role requirement. My concern is that they
could write DTML that changes these properties, giving themselves the manager role, for
instance.

Now, on sites where members/users don't get to write DTML, this is clearly a lesser issue.

I cna have this new system boxed up in a day or two provided I cna get the concern over
roles subdued. :)

BTW, Yes, I know about the __ thing, that's how the previous/current release operates. My
problem has been in modifying the roles from Zope. Given the lack of response on the
lists, I get the feeling I'm not alone in this. :/
That is why I tried the new route. :)



--
Do not meddle in the affairs of sysadmins, for they are easy to annoy,
and have the root password.