user, as far as page behavior goes? Granted,
authasimplies that the remote user has the privs necessary to make the requested change without supplying an additional password, whereas
userimplies that the remote user (if any) is supplying the password for the account they're changing; but it seems as though it would be easier simply to treat them the same way: if there's a password, then confirm it, and if there isn't, then check for the necessary privs. If a bad password is given, then send an invalid-password error; if no password is given and the remote user lacks the necessary privs, then send an insufficient-privs error. (Currently,
userwith no password results in either a cryptic error message or a partially-prefilled login form, and
authaswithout privs results in an error message and no login form.)
Since it isn't done this way, I assume there's a reason it isn't; but I can't figure out why. Does anyone have any thoughts?