User authentication

[Robert E. Coyle]

User authentication is the only part left before whups is usable
(albeit unfriendly for the administrator).  These are the requirements
for a public ticket tracking system:

 + You can browse all public tickets without logging in. (Do we want
   to provide for having certain tickets private?  That could lead
   to all sorts of requests, like "I want this ticket viewable, but
   this comment and attachment viewable to only these users" etc
   which will just make things far too complicated).  It could be
   done by ticket type or ticket module, but you would then need
   to put users in access groups.

   There needs to be an access level anyway, as in new users can
   only add tickets in any 'unconfirmed' state, but certain users
   will want to be able to add tickets directly into a 'new' state.

 + Anyone who has logged in can add themselves to the notification
   list of any (public) ticket.

 + On a public tracking system, anyone with a valid email address
   can register themselves as a user of the system.

 + To add a comment or attachment, you have to be logged in.  This
   is so you can't place a comment or ticket without leaving your
   email address.

 + To set the owner, priority, or status, you have to be either the
   current owner of the ticket or the QA person responsible for that
   ticket type.  This is a very coarse level of privilege affinity,
   but it makes things much simpler.  Maybe there could be an all-
   powerful manager group that can do anything to any ticket.

Private systems are different only in that you can't do anything
without a login, and you can't add yourself to the system.

How much provision for this is in the current horde authentication
system?  I haven't had a chance to look into it properly yet.

Rob

-- 
Jone's Law:
The man who smiles when things go wrong has thought of someone
to blame it on.