RemoteAuth: support more diverse auth failures
Bug #1936422 reported by
Jeff Davis
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
New
|
Wishlist
|
Unassigned |
Bug Description
With RemoteAuth, you can prevent users from authenticating if they lack a certain permission or have certain types of standing penalties. However, these authentication failures are not distinguished from other types of failures: a user without the required perm is treated as not found, and a user with penalties is treated as blocked. There ought to be distinct error handling for these auth failures, so that (for example) you can explain to community borrowers that access is restricted to students and faculty instead of telling them their account doesn't exist, or tell them to check with the circ desk about overdue fines instead of simply saying they're blocked.
Changed in evergreen: | |
importance: | Undecided → Wishlist |
tags: | added: authentication |
To post a comment you must log in.
Working branch user/jeffdavis/ lp1936422- remoteauth- more-error- codes has a first pass at handling "not permitted" and "has penalties" failures separately, but I need to do some testing before adding a pull request.