> On 4 Feb 2007, at 23:24, Mark Hammond wrote:
> > So to slightly change the focus of Sidnei's question: should PAS
> > complain
> > loudly when after enumerating all property related plugins, PAS
> > fails to
> > find *any* properties for a specific user?
> I think you're mixing up a couple things, you brought roles into the
> game as well.
IIUC, in an LDAP environment the roles are generally filled based on the
groups the user belongs to. Without a list of groups, the roles are
generally incorrect. Without user-properties for a user, there are no
groups, and therefore no roles. I understand different interfaces provide
these roles, but in this case they all ultimately are derived from the
properties fetched (or in this case, *not* fetched).
For my information, what things am I mixing up?
> For pure properties PAS should *not* complain. The
> basic user folder behavior doesn't even use and expect them, either.
> Maybe if a user has no roles it may complain, but even then I'm not
> This whole properties issue looks very much like a "site policy"
> decision to me.
We've been mixing up functionality and implementation. Let's look at this
If PAS fails to find the user that is being logged in, should it (a)
complain or (b) allow the user to login, but with that user having *no*
properties at all?
I believe that for the vast majority of sites, the correct answer should be
(a). Some sites may want a policy that allows (b), but I can't think of a
reasonable use for that.
If we can agree on the desired semantics, we can then look at
implementation. Currently PAS only allows for (b) - do people believe the
semantics of (b) are a better default than (a)?
Zope-PAS mailing list