On 2009-8-11 17:59, Stefan H. Holek wrote:
> Short version:
> PAS cannot be entirely ignorant of masquerading, because plugins are
> allowed to call back to "their" PAS (via _getPAS()) and may pass login
> names containing masquerading information.
I'm already lost at this point. If your intention is to fully masquerade
as another user why would there be masquerading information in the login
name? The login name and userid should both be set for the assumsed user.
This should be doable by setting a separate cookie to set the assumed
identity along with a special form which can be used by helpdesk
personel (I'm assuming that is the main use case) to switch identities.
As long as you put the authentication plugin for your user-masquerading
cookie first this should work transparaently. You could even add a role
plugin which detects the masquerading cookie and adds a special role
which you can use in the UI to add a switch-back-to-real-user option.
As far as I can see to implement user masquerading you will need:
- a special user-switch form to setup a masquerading cookie
- a PAS extraction and authentication plugin which handles that cookie.
this might even just be another instance of plone.session.
- optionally a role plugin to add a special role when masquerading is
This should be doable without any changes in PAS itself.
Wichert Akkerman <wich...@wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
Zope-PAS mailing list