Feature: Exception to abort authentication
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope PAS |
Fix Released
|
Wishlist
|
Tres Seaver |
Bug Description
Zope 2 supports a hierarchical authentication. If a user folder is unable to authenticate a user with sufficient permissions, a higher up user folder gets the chance to authenticate the user. This is often used to give Zope "Manager"s access to subsites with their own user folder.
Meanwhile I have met two szenarios where the standard feature seems not sufficient:
* IP based (anonymous) authorization: "Manager"s from domains matched by IP rules have a bad experience (they do not see ZMI
actions they expect, they cannot visit parts of a subsite due to insufficient priviledges.
* some modern authentication protocols (e.g. OpenId and SAML2) are so expensive (relying on multiple interactions witj foreign sites) that they should only be triggered when there is real need.
My idea to address these szenarios: Implementation of an "IAuthentication" plugin that checks higher up user folders whether they can authenticate the current user. However, this plugin cannot succeed in the normal way, because then the user would be associated with the current user folder not the one higher up. Therefore, I propose the definition of special exception (e.g. "Authentication
Changed in zope-pas: | |
status: | Fix Committed → Fix Released |
I'd be willing to merge a branch implementing this feature, assuming it
had really good test coverage for all the edge cases it creates.