Gay But Not Narrow (ruakh) wrote in lj_dev,
Gay But Not Narrow

authas vs. user

Sorry if this is the wrong place to ask this, but what's the purpose of distinguishing between the form arguments authas and user, as far as page behavior goes? Granted, authas implies that the remote user has the privs necessary to make the requested change without supplying an additional password, whereas user implies that the remote user (if any) is supplying the password for the account they're changing; but it seems as though it would be easier simply to treat them the same way: if there's a password, then confirm it, and if there isn't, then check for the necessary privs. If a bad password is given, then send an invalid-password error; if no password is given and the remote user lacks the necessary privs, then send an insufficient-privs error. (Currently, user with no password results in either a cryptic error message or a partially-prefilled login form, and authas without privs results in an error message and no login form.)

Since it isn't done this way, I assume there's a reason it isn't; but I can't figure out why. Does anyone have any thoughts?

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded