Jens wrote:

> On 2 Feb 2007, at 19:45, Sidnei da Silva wrote:
> > Now, some might argue that this is an application-specific
> policy. The
> > fact is that there's no obvious way currently of 'vetoing' a login
> > based on the lack of certain user properties (like the email example
> > above).
> >
> > I would like to change PAS so this is possible to do. Any
> objections?
> Instead of adding yet another plugin type (I think there are
> too many
> as it is), shouldn't this be handled by an overridden plugin of one
> of the standard types, like maybe an overridden properties plugin?
> I think this is a very narrowly focused functionality that only very
> few users may ever need.

Another side-effect of the issue Sidnei raises is that it is quite easy for
PAS to be configured such that a user gets *zero* properties, but PAS never
complains.  Everything seems to work fine, except things based on their user
properties - eg, the user has no roles applied and no email address.  This
leads to subtle problems which are not obviously related to an incorrectly
configured PAS.

While Sidnei focusses on site-specific policies, I believe the underlying
issue - that a user can fail to get any properties - is more general.  For
example, if PAS is configured with an LDAP plugin, but the LDAP plugin is
configured incorrectly, PAS will ask (possibly a number of) plugins for
user-properties - but all return zero properties.  At the end of the
process, the user still has zero properties.

So to slightly change the focus of Sidnei's question: should PAS complain
loudly when after enumerating all property related plugins, PAS fails to
find *any* properties for a specific user?


Zope-PAS mailing list

Reply via email to