authas
and user
, as far as page behavior goes? Granted, authas
implies that the remote user has the privs necessary to make the requested change without supplying an additional password, whereas user
implies that the remote user (if any) is supplying the password for the account they're changing; but it seems as though it would be easier simply to treat them the same way: if there's a password, then confirm it, and if there isn't, then check for the necessary privs. If a bad password is given, then send an invalid-password error; if no password is given and the remote user lacks the necessary privs, then send an insufficient-privs error. (Currently, user
with no password results in either a cryptic error message or a partially-prefilled login form, and authas
without privs results in an error message and no login form.)Since it isn't done this way, I assume there's a reason it isn't; but I can't figure out why. Does anyone have any thoughts?