Hi Jens, > On 4 Feb 2007, at 23:24, Mark Hammond wrote: > > So to slightly change the focus of Sidnei's question: should PAS > > complain > > loudly when after enumerating all property related plugins, PAS > > fails to > > find *any* properties for a specific user? > > I think you're mixing up a couple things, you brought roles into the > game as well.
IIUC, in an LDAP environment the roles are generally filled based on the groups the user belongs to. Without a list of groups, the roles are generally incorrect. Without user-properties for a user, there are no groups, and therefore no roles. I understand different interfaces provide these roles, but in this case they all ultimately are derived from the properties fetched (or in this case, *not* fetched). For my information, what things am I mixing up? > For pure properties PAS should *not* complain. The > basic user folder behavior doesn't even use and expect them, either. > Maybe if a user has no roles it may complain, but even then I'm not > sure. > > This whole properties issue looks very much like a "site policy" > decision to me. We've been mixing up functionality and implementation. Let's look at this another way: If PAS fails to find the user that is being logged in, should it (a) complain or (b) allow the user to login, but with that user having *no* properties at all? I believe that for the vast majority of sites, the correct answer should be (a). Some sites may want a policy that allows (b), but I can't think of a reasonable use for that. If we can agree on the desired semantics, we can then look at implementation. Currently PAS only allows for (b) - do people believe the semantics of (b) are a better default than (a)? Cheers, Mark _______________________________________________ Zope-PAS mailing list [email protected] http://mail.zope.org/mailman/listinfo/zope-pas
