Details
- Applies to: moin--main--1.5--patch-476
Purpose: Allow configurable conversion from existing usernames - like Kerberos principles - to MoinMoin UserNames
- Description:
Modular authentication code - particularly http authentication - performs some hard-coded manipulation of authentication data - for instance accepting Basic, Digest, Negotiate & NTLM AUTH_TYPE; dropping username domain/realm components; converting usernames to title-case
This patch attempts to make this necessary authentication data manipulation modular like the authentication code. Administrators may add methods to cfg.authfilter to accept, reject, or manipulate AUTH_TYPE & username
Additionally, it includes a MoinMoin/authfilter.py module with existing methods for administrators to use -
default - existing hard-coded manipulation moved here. This is default value of cfg.authfilter
- title - normalize usernames using title-case
regex - accept, regect, or manipulate AUTH_TYPE & username using cfg.authtype_pattern, cfg.username_pattern, & cfg.username_replace regular expressions. Default values of cfg.authtype_pattern, cfg.username_pattern, & cfg.username_replace correspond to the behavior of default method
gecos - convert username to FirstnameLastname using getpwnam & gecos field
This patch based extensively on JoergWendland's Negotiate authentication patch - http://moinmoin.wikiwikiweb.de/MoinMoinPatch#head-bad1e4e1fd1b4d52a4051784d6d7abb8cb2d581b
Patch
http://cgi.sfu.ca/~jdbates/tmp/moin/200603160/patch
Discussion
That's a nice idea and should be included when ready. Some ideas for the code:
- gecos stuff: needs error handling and parsing gecos field according to spec
- maybe streamline the cfg variable stuff to a common prefix, like auth_...
- please use ..._regex not ..._pattern
- default is doing (see @ and /) part of what regex could do?
- please attach patch to this page
Another idea: the latest MoinMoin.auth stuff passes a user object parameter to the auth methods it calls. This is either None or the user object returned by some previous auth method call. So we could just have those "name filtering" functions moved to separate auth methods that change the user object they get.
Plan
- Priority:
- Assigned to:
- Status: