[geeklog-devtalk] Remote Authentication ;-)

[Blaine Lang]

Thanks guys - the replies helped clear up my concerns.

Blaine
----- Original Message ----- 
From: <mike at fuckingbrit.com>
To: <geeklog-devtalk at lists.geeklog.net>
Sent: Friday, February 04, 2005 3:59 AM
Subject: Re: [geeklog-devtalk] Remote Authentication ;-)



>> (Moderating new users)

>From a technical point of view, though, this should still be possible.


As it goes through USER_createUser any account created this way will be
automaticaly on hold. However, I think, currently the user will be logged
in and active. Something that didn't occur to me till now. I think I need
to add some code to handle this case.


>want them to use that identity then to spam other Geeklog sites. Mike?


The theoretical manner in which this might work is that each geeklog site
where the admin has enabled the option to BE a remote authentication SOURCE
can be used to remotely authenticate.

Then any geeklog instance that has remote authentication enabled, AND has
the Geeklog.auth.class.php installed can authenticate against it.

This is how drupal works. This is indeed an all geeklog or no geeklog auth
method, which clearly isn't desirable. It won't be a problem for a 'while'
because to start with comment spammers are going to stick to sites that are
annon enabled. Then they'll start to target big target sites by signing up,
or using a remote service. Then when that starts to not work, then they'll
host their own authentication site.

Now, I thought the best way to block/allow sites would be to provide two
arrays, one of block site regexes, one of allow site regexes. So you can
say, only allow remote authentication from geeklog.net or *linux* or
something. OR you can say allow authentication from any geeklog instance
that doesn't match *poker* or *porn* or *pills* or whatever.

However, the option 5, which is still I think the best option, would
require you to provide specific sites that you can authenticate against
only, which would be a good, but restrictive way of controlling remote
authentication sources for geeklog.


>We should probably also finally implement something to disable user

accounts

>(including remotely authenticated users).


I didn't realise that didn't exist. Perhaps I should add it since I'm in
users.php anyway? Disabled big flag?



>The only change, but that is optional, would be to use yet-to-be-specified

>COM_ functions to get a user's display name, so that the site owner has

>some influence over how those remotely authenticated users are displayed.


If we go path 4, not 0 or 5 or something else ;-)


>(sent via webmail, hence no references - sorry about that)


Ditto. And hence crappy quoting for me. Mail2web ought to prefix with > bah.

Mike

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
geeklog-devtalk mailing list
geeklog-devtalk at lists.geeklog.net
http://lists.geeklog.net/listinfo/geeklog-devtalk