[Zope-PAS] [Collective-checkins] r93341 - in mr.ripley/trunk: . src/mr/ripley
Wichert Akkerman
wichert at wiggy.net
Tue Oct 13 06:39:12 EDT 2009
On 8/12/09 22:12 , Wichert Akkerman wrote:
> Hi Stefan,
>
> On 2009-8-11 17:59, Stefan H. Holek wrote:
>> Short version:
>> PAS cannot be entirely ignorant of masquerading, because plugins are
>> allowed to call back to "their" PAS (via _getPAS()) and may pass login
>> names containing masquerading information.
>
> I'm already lost at this point. If your intention is to fully masquerade
> as another user why would there be masquerading information in the login
> name? The login name and userid should both be set for the assumsed user.
>
> This should be doable by setting a separate cookie to set the assumed
> identity along with a special form which can be used by helpdesk
> personel (I'm assuming that is the main use case) to switch identities.
> As long as you put the authentication plugin for your user-masquerading
> cookie first this should work transparaently. You could even add a role
> plugin which detects the masquerading cookie and adds a special role
> which you can use in the UI to add a switch-back-to-real-user option.
>
> As far as I can see to implement user masquerading you will need:
>
> - a special user-switch form to setup a masquerading cookie
> - a PAS extraction and authentication plugin which handles that cookie.
> this might even just be another instance of plone.session.
> - optionally a role plugin to add a special role when masquerading is
> active
>
> This should be doable without any changes in PAS itself.
Point in case: there are now at least two plugins in the collective
which implement this feature.
Wichert.
More information about the Zope-PAS
mailing list