Jens wrote: > On 2 Feb 2007, at 19:45, Sidnei da Silva wrote: > > Now, some might argue that this is an application-specific > policy. The > > fact is that there's no obvious way currently of 'vetoing' a login > > based on the lack of certain user properties (like the email example > > above). > > > > I would like to change PAS so this is possible to do. Any > objections? > > Instead of adding yet another plugin type (I think there are > too many > as it is), shouldn't this be handled by an overridden plugin of one > of the standard types, like maybe an overridden properties plugin? > > I think this is a very narrowly focused functionality that only very > few users may ever need.
Another side-effect of the issue Sidnei raises is that it is quite easy for PAS to be configured such that a user gets *zero* properties, but PAS never complains. Everything seems to work fine, except things based on their user properties - eg, the user has no roles applied and no email address. This leads to subtle problems which are not obviously related to an incorrectly configured PAS. While Sidnei focusses on site-specific policies, I believe the underlying issue - that a user can fail to get any properties - is more general. For example, if PAS is configured with an LDAP plugin, but the LDAP plugin is configured incorrectly, PAS will ask (possibly a number of) plugins for user-properties - but all return zero properties. At the end of the process, the user still has zero properties. So to slightly change the focus of Sidnei's question: should PAS complain loudly when after enumerating all property related plugins, PAS fails to find *any* properties for a specific user? Mark _______________________________________________ Zope-PAS mailing list [email protected] http://mail.zope.org/mailman/listinfo/zope-pas
