[dev] [commits] Horde branch master updated. 5df37f9934afeee9f4741d41f92c06cfc4b39ca9

[Jan Schneider]

Zitat von Michael M Slusarz <slusarz at horde.org>:

> Quoting Jan Schneider <jan at horde.org>:
>
>>> I'll agree that guest access is broken with the old code.  But  
>>> this change makes things worse (especially #2).  The proper fix  
>>> probably lies in Horde_Auth_Application - the default  
>>> transparent() authentication method, for apps that don't require  
>>> any additional authentication, should do the proper guest  
>>> permission checking there.
>>
>> That sounds awkward, permission checking is authorization, so it  
>> shouldn't be done in the authentication code. How about having the  
>> application report back to Horde_Auth_Application whether they  
>> require authentication, and use that information? Or can we maybe  
>> even already assume that having an 'authenticate' API method make  
>> this a requirement?
>
> This is correct.  The default is that applications don't need  
> separate authentication.  Once an application defines an  
> authAuthenticate or authTransparent method, that alone should be  
> sufficient to alert Horde_Auth_Application that further application  
> authentication is needed.
>
>> That solution would involve a new  
>> Horde_Auth::requireAuthentication() method.
>
> I assume you mean Horde_Auth_Application::requireAuthentication()?   
> This doesn't make sense for any of the other auth drivers.

I was thinking of Horde_Auth, because we don't use an object instance  
in the registry so far. At least not in the places we've been talking  
about so far.
That would just be wrapper to Horde_Auth_Base/Application of course.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/