[Zope-PAS] Failing to fill users properties,
should it cause an error?
Mark Hammond
mhammond at skippinet.com.au
Sun Feb 4 18:35:10 EST 2007
Hi Jens,
> On 4 Feb 2007, at 23:24, Mark Hammond wrote:
> > So to slightly change the focus of Sidnei's question: should PAS
> > complain
> > loudly when after enumerating all property related plugins, PAS
> > fails to
> > find *any* properties for a specific user?
>
> I think you're mixing up a couple things, you brought roles into the
> game as well.
IIUC, in an LDAP environment the roles are generally filled based on the
groups the user belongs to. Without a list of groups, the roles are
generally incorrect. Without user-properties for a user, there are no
groups, and therefore no roles. I understand different interfaces provide
these roles, but in this case they all ultimately are derived from the
properties fetched (or in this case, *not* fetched).
For my information, what things am I mixing up?
> For pure properties PAS should *not* complain. The
> basic user folder behavior doesn't even use and expect them, either.
> Maybe if a user has no roles it may complain, but even then I'm not
> sure.
>
> This whole properties issue looks very much like a "site policy"
> decision to me.
We've been mixing up functionality and implementation. Let's look at this
another way:
If PAS fails to find the user that is being logged in, should it (a)
complain or (b) allow the user to login, but with that user having *no*
properties at all?
I believe that for the vast majority of sites, the correct answer should be
(a). Some sites may want a policy that allows (b), but I can't think of a
reasonable use for that.
If we can agree on the desired semantics, we can then look at
implementation. Currently PAS only allows for (b) - do people believe the
semantics of (b) are a better default than (a)?
Cheers,
Mark
More information about the Zope-PAS
mailing list