[Zope] LoginManager and multiple UserSources

Andy Gimblett andy.gimblett@ftech.net
Fri, 17 Aug 2001 15:04:47 +0100 

Gaah! Apologies for empty email preceding...

Some thoughts on LoginManager and multiple UserSources...

Here's LoginManager's getItem() method, which goes through the user
sources, looking for an user with the right name:

    def getItem(self,name):
        # Retrieve a user with the given name, or None if no such
        # user exists. Uses the registry of UserSources, after
        # first checking for the superusSer/root users.

        if rootUsers.has_key(name):
            return rootUsers[name].__of__(self)

        for source in self.userSourcesList:
            user = source.__of__(self).getItem(name)
            if user is not None:
                return user

        return None

This is called by a LoginMethod to retrieve a user object, which
it then attempts to authenticate by calling the user object's
authenticate() method.

Now, what happens when you have multiple UserSources? getItem()
returns the first user it finds. But it does this without attempting
any authentication. So if you have two UserSources, both of which
contain the same user, but for which the first won't authenticate,
but the second will, you _don't_ get logged in (because getItem()
just returns the first, which will fail, and the second doesn't
get checked at all).

Wouldn't it be "nice" if LoginManager could return multiple users from
multiple sources, allowing the LoginMethod to try authenticating
each, and decide for itself on whether to authenticate the user
depending on the combination of results (eg you might want to
authenticate provided at least one succeeds, or you might demand that
they all succeed, etc.).

Does this make sense to anyone else? Or am I being a complete
nutcase? I should note that I don't (at this point) need this in
any operational sense, I was just doing it for debugging purposes,
but it strikes me that this would be an useful extension, and that
one day I might well want it.

Would this be a good thing? Would this be a waste of time? Is this
an incredibly bad idea for some reason?

Thoughts?

-Andy

-- 
Andy Gimblett - Programmer - Frontier Internet Services Limited
Tel: 029 20 820 044 Fax: 029 20 820 035 http://www.frontier.net.uk/
Statements made are at all times subject to Frontier's Terms and
Conditions of Business, which are available upon request.