> On 2 Feb 2007, at 19:45, Sidnei da Silva wrote:
> > Now, some might argue that this is an application-specific
> policy. The
> > fact is that there's no obvious way currently of 'vetoing' a login
> > based on the lack of certain user properties (like the email example
> > above).
> > I would like to change PAS so this is possible to do. Any
> Instead of adding yet another plugin type (I think there are
> too many
> as it is), shouldn't this be handled by an overridden plugin of one
> of the standard types, like maybe an overridden properties plugin?
> I think this is a very narrowly focused functionality that only very
> few users may ever need.
Another side-effect of the issue Sidnei raises is that it is quite easy for
PAS to be configured such that a user gets *zero* properties, but PAS never
complains. Everything seems to work fine, except things based on their user
properties - eg, the user has no roles applied and no email address. This
leads to subtle problems which are not obviously related to an incorrectly
While Sidnei focusses on site-specific policies, I believe the underlying
issue - that a user can fail to get any properties - is more general. For
example, if PAS is configured with an LDAP plugin, but the LDAP plugin is
configured incorrectly, PAS will ask (possibly a number of) plugins for
user-properties - but all return zero properties. At the end of the
process, the user still has zero properties.
So to slightly change the focus of Sidnei's question: should PAS complain
loudly when after enumerating all property related plugins, PAS fails to
find *any* properties for a specific user?
Zope-PAS mailing list