Forum OpenACS Development: Re: Login timeout problem in 5.0

Collapse
Posted by Don Baccus on
On the implementation side, I think the untrusted_user_id and user_id distinctions - and when to use them - is inherently error-prone and I predict that we'll see various packages, particularly those done in contrib and custom packages done for clients by various people, get it wrong.  This will lead to inconsistent behavior.  Security should be OK for old packages though that continue to check for user_id in all cases.  If we don't use the two ids consistently I don't personally see much value in the new functionality.

So burying the login checking code in the permission check Tcl proc seems like a good idea.  #4 or $5 seems straightforward but chasing down all the permissions checks will take time and of course we need to document how to use the new scheme.

I shouldn't be forced to log in to see a page the public can see, though.  That just seems wrong.  In a sense it penalizes me for having logged in and walked away without logging out.  So I guess #5 makes sense.  This has the potential for slowing down the request processor which does a read check but then again the RP check would lead to consistent behavior.

Since we don't have any applications that know how to display personalized but non-sensitive information at the moment, I think #3 is best for 5.0 and any future functionality in this area ought to be TIP'd before we implement it.