[Zope-PTK] my user folder wishlist

[Andrew Wilcox]

Here's what I'd like to see supported by the new scheme:

Have the ability to configure the system so that users will only ever get a
login page, and never get hit with a 401 Unauthorized or a browser's basic
auth username/password window.

When access to an object is unauthorized, be able to send the user a plain
and simple "sorry, you can't access that" page, rather than getting a login
challange.  Zope and GUF popping into basic auth and the docLogin page
respectively is a great hack for making the anonymous -> authenticated user
transition, but terribly confusing for the user who is already logged in.

However, although I'd like my system to be configured so that it doesn't
send a 401, I'd like it to still recognize a basic auth header for xmlrpc
and my Zope admin.  I wouldn't want my sysadmin to be locked out of Zope
just because the backend user database is down at the moment.

I might want to have the user enter one kind of identifying information
(such as an email address), which then gets mapped or looked up in the user
folder/database to get the account name.  Both Zope basic auth and GUF
currently expect that what the user types in, is the literal username used
inside of Zope.  So, when we look at the interface design for the UUF
validator and UserSource, we need to distinguish between "which account is
the user trying to log into?" and "is the authorization valid for that
account?"  Would it be the role of the Validator in this example to take
the email address and use that to look up the account in the UserSource?