If someone is actually going to implement sudo-like functionality for
OpenACS - which is an excellent idea - the proper solution must
encompass giving Admins at least these two switches:
- Drop my admin privilege for now, until I tell you otherwise.
- Turn on my admin privileges today (for X hours). [Requires password.]
Plus add any other similar variants that Admin users want.
By default, when an Admin logs in, he should have only the
privileges of a normal user, because most Admins are also normal users
of the site, and are usually logging to use the site, not to
immediately start doing protected Admin activity. However, you might
as well give Admins a checkbox on the log-in screen, defaulted to off,
which says, "Enable my Admin privilige immediately, for the next 10
minutes."
Probably, when an Admin tries to do an admin-thing the system should
ask him for his password and implicitly push a "Turn on my admin
privileges for the next 10 minutes" button for him. However, it
wouldn't be so bad just to deny the action and give him link to the
"turn on my Admin privileges" page instead.
But if an Admin needs to, he should be able to explicitly enable - and
leave enabled - his Admin-ness for some longer period of time.
Depending on the site, this time should probably 1 to 24 hours.
And of course, very preferably, the "10 minutes" expiration time, just
like with sudo, should be counted from the last successful Admin
operation, not from the time it was turned on. This means if an Admin
is admining away feverishly for 3 hours, the "10 minute" time will
never expire until he's done. It's not absolutely critical, because
an Admin should always be able to just explicitly turn on his
privileges for longer instead, but actual real-world security will
probably be better with the smart "timeout clock starts from last
admin operation" feature.