[Phpwiki-talk] stacked or strict or pre-defined password method order?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi
I'm just finishing the new wikiuser authcode and came to this question:

In the current code the authentification methods are "stacked", that 
means, that the methods are searched in a predefined search order
(e.g. Anon or Bogo or HomePage password => ldap => imap => http_auth).

The first method which returns true is taken. False is only returned if 
all defined methods will fail.

With my new code we allow even more auth methods:
   internal db, external db, file

Now how should the admin configure his authentification:
1)  Should he be able to define the search order?
2)  Should he be able to define stacked (policy c) or strict (policy b) 
or pre-defined method order (policy a)?

The problem is that the user may exist with the current method but the 
password is wrong, which brings him to the next method. This might not 
be wished for certain auth methods were the username and password must 
match and no other methods may be tried if the username exists in the 
databse but with the wrong password. For example the database password 
is wrong, but a file password matches is ok.

Currently the order of first three methods is fixed:
     Anon if defined, Bogo if defined, User if defined.
Those three methods are stacked.

With the new methods in the new auth classes (called if 
ALLOW_USER_PASSWORDS is defined and the previous methods failed) one 
could define policy c: a stacked scheme ("try next method if it fails"), 
or policy b: a stricter scheme ("check user and if she exists the 
password, on failure try no other methods").
To make thing even more complicate my current code makes use of only one 
pre-defined external auth method (policy a), which simply upgrades the 
user class in the constructor, and not in the checkUser() or 
UserExists() methods.

How to define the auth policies in index.php?

One could easily define a new config variable like
   define('FAIL_ON_WRONG_PASSWORD',true);
which defines the strict scheme, and if not defined
the stacked scheme will be used.
The simple problem is that then we will have to define one more method 
for all user classes:
   $user->UserExists():
Currently we need only ->checkPass() and optionally ->storePass().

The code for a simple predefined scheme, (not-stacked) scheme is now 
ready, were only one auth method is predefined, for all users.
-- 
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/