From: Reini U. <ru...@x-...> - 2004-01-22 02:35:39
|
Hi I'm just finishing the new wikiuser authcode and came to this question: In the current code the authentification methods are "stacked", that means, that the methods are searched in a predefined search order (e.g. Anon or Bogo or HomePage password => ldap => imap => http_auth). The first method which returns true is taken. False is only returned if all defined methods will fail. With my new code we allow even more auth methods: internal db, external db, file Now how should the admin configure his authentification: 1) Should he be able to define the search order? 2) Should he be able to define stacked (policy c) or strict (policy b) or pre-defined method order (policy a)? The problem is that the user may exist with the current method but the password is wrong, which brings him to the next method. This might not be wished for certain auth methods were the username and password must match and no other methods may be tried if the username exists in the databse but with the wrong password. For example the database password is wrong, but a file password matches is ok. Currently the order of first three methods is fixed: Anon if defined, Bogo if defined, User if defined. Those three methods are stacked. With the new methods in the new auth classes (called if ALLOW_USER_PASSWORDS is defined and the previous methods failed) one could define policy c: a stacked scheme ("try next method if it fails"), or policy b: a stricter scheme ("check user and if she exists the password, on failure try no other methods"). To make thing even more complicate my current code makes use of only one pre-defined external auth method (policy a), which simply upgrades the user class in the constructor, and not in the checkUser() or UserExists() methods. How to define the auth policies in index.php? One could easily define a new config variable like define('FAIL_ON_WRONG_PASSWORD',true); which defines the strict scheme, and if not defined the stacked scheme will be used. The simple problem is that then we will have to define one more method for all user classes: $user->UserExists(): Currently we need only ->checkPass() and optionally ->storePass(). The code for a simple predefined scheme, (not-stacked) scheme is now ready, were only one auth method is predefined, for all users. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |