__auth__/__access_ methods in publisher

[Graham Dumpleton <gr...@dscpl.com.au>]

Jim Gallacher (JIRA) wrote ..
> I think part of the problem with process_auth() is the uncertainty of meaning
> associated with auth and __auth__. Does it mean authenticate or authorize?
> If it's authorize, then there is no reason to call __auth__ with the password.
> Likewise, you shouldn't need the user name when calling __access__. One
> could certainly come up with access rules which are not tied to a specific
> user.
> 
> Maybe we should consider refactoring process_auth() to look for 2 new attributes
> such as __authen__ and __author__, and deprecate the use of __auth__. If
> somebody wants to do authentication in publisher then their code would
> be completely responsible for returning either a user or raising an error.
> (Further discussion of this should be shifted out of this particular issue).

Yes __auth__ is effectively equivalent to authenhandler, but __access__
is actually equivalent to authzhandler and not accesshandler as it
suggests.

In other words I see __access__ to be there to allow doing the
equivalent of the "Require" directive where a user name would actually
be required.

Given the fragility of __auth__/__access__ functions nested inside of a
function, I would suggest just leave it as is and perhaps steer people to
using an actual acesshandler/authhandler/authzhandler instead. That is,
promote the Apache way of doing things. This doesn't even mean that
these steps need be done in Python as mod_auth or other authentication
and authorisation modules written in other languages could just as easily
be used.

I'll have a lot more to say about this at a future date when I have finished
some examples I am writing of authentication/authorisation handlers in
mod_python implemented in the proper Apache way. This wasn't actually
possible to do until I committed some of the changes I did in 3.3 trunk.

Graham