Comment 1 for bug 1546769
Revision history for this message
| Aaron Wells (u-aaronw) wrote Re: The 'None' auth needs to be locked down more to avoid troubles with multi institutions | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
On further discussion with Robert, we've agreed that the best thing to do is simply to remove the "none" authentication method from Mahara core entirely. So the plan is roughly this:
1. Remove the "auth/none" plugin directory from Mahara
2. Put the auth/none code into a separate git repository, so it can be downloaded and installed separately by sites that actually do want to use it.
3. Put migration code in place, that will find any institutions that have "None" as their only auth method, and set up an Internal auth method for them.
4. Further migration code that finds any users who are set to a "None" auth method, and converts them to an Internal auth method (without a password)
5. A note in the README that indicates that the "none" auth method was removed and that if you're a site that is seriously using it, you should add the plugin back into your site before running the upgrade script, or your users will be migrated from "None" to "Internal"
6. Make sure that the migration code in steps 3 & 4 checks to see if you have, indeed, downloaded and installed the new optional None plugin. And if you have, it doesn't migrate the users, because apparently you actually are using the plugin.
7. And optionally, to provide better support for sites that do the "copy-over" upgrade, make the migration code check to see if you have the *old* version of the "None" plugin present in your site, and if so, disable it.