Hi Jens,

> On 4 Feb 2007, at 23:24, Mark Hammond wrote:
> > So to slightly change the focus of Sidnei's question: should PAS
> > complain
> > loudly when after enumerating all property related plugins, PAS
> > fails to
> > find *any* properties for a specific user?
> I think you're mixing up a couple things, you brought roles into the
> game as well.

IIUC, in an LDAP environment the roles are generally filled based on the
groups the user belongs to.  Without a list of groups, the roles are
generally incorrect.  Without user-properties for a user, there are no
groups, and therefore no roles.  I understand different interfaces provide
these roles, but in this case they all ultimately are derived from the
properties fetched (or in this case, *not* fetched).

For my information, what things am I mixing up?

> For pure properties PAS should *not* complain. The
> basic user folder behavior doesn't even use and expect them, either.
> Maybe if a user has no roles it may complain, but even then I'm not
> sure.
> This whole properties issue looks very much like a "site policy"
> decision to me.

We've been mixing up functionality and implementation.  Let's look at this
another way:

If PAS fails to find the user that is being logged in, should it (a)
complain or (b) allow the user to login, but with that user having *no*
properties at all?

I believe that for the vast majority of sites, the correct answer should be
(a).  Some sites may want a policy that allows (b), but I can't think of a
reasonable use for that.

If we can agree on the desired semantics, we can then look at
implementation.  Currently PAS only allows for (b) - do people believe the
semantics of (b) are a better default than (a)?



Zope-PAS mailing list

Reply via email to