The fact of the account being activated or not doesn't seem to me
like protocol information. Now that we have added account
activation, it means that there are actually two different logical
levels of account access now:
1. activated -- full access to the application
2. not-yet-activated -- limited access (can only pre-add
subscriptions)
We can certainly auth a user based on just login ID and password --
we know they have a valid account in the system, even if it hasn't
been activated yet.
How is checking for an 'activated' flag in the account any
different from checking for an 'administrator' flag to limit access
to certain functionality?
The way it is currently implemented, this comes down to the
difference between authorization and authentication. Non-"activated"
users cannot authenticate, while non-"administrator" users are not
authorized to perform certain tasks. While I'm open to revisiting
this idea it would require some additional research and auth/z layer
code.
Any thoughts on this Brian?
-Travis
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Open Source Applications Foundation "Design" mailing list
http://lists.osafoundation.org/mailman/listinfo/design
