[Zope-PAS] [Collective-checkins] r93341 - in mr.ripley/trunk: . src/mr/ripley

Wichert Akkerman wichert at wiggy.net
Wed Aug 12 16:12:10 EDT 2009


Hi Stefan,

On 2009-8-11 17:59, Stefan H. Holek wrote:
> Short version:
> PAS cannot be entirely ignorant of masquerading, because plugins are
> allowed to call back to "their" PAS (via _getPAS()) and may pass login
> names containing masquerading information.

I'm already lost at this point. If your intention is to fully masquerade 
as another user why would there be masquerading information in the login 
name? The login name and userid should both be set for the assumsed user.

This should be doable by setting a separate cookie to set the assumed 
identity along with a special form which can be used by helpdesk 
personel (I'm assuming that is the main use case) to switch identities.
As long as you put the authentication plugin for your user-masquerading 
cookie first this should work transparaently. You could even add a role 
plugin which detects the masquerading cookie and adds a special role 
which you can use in the UI to add a switch-back-to-real-user option.

As far as I can see to implement user masquerading you will need:

- a special user-switch form to setup a masquerading cookie
- a PAS extraction and authentication plugin which handles that cookie.
   this might even just be another instance of plone.session.
- optionally a role plugin to add a special role when masquerading is
   active

This should be doable without any changes in PAS itself.

Wichert.


-- 
Wichert Akkerman <wichert at wiggy.net>   It is simple to make things.
http://www.wiggy.net/                  It is hard to make things simple.


More information about the Zope-PAS mailing list