Hooking into account system for web auth

[Elliot Lee]

On Nov 20, 2006, at 10:07 PM, Jesse Keating wrote:

> On Monday 20 November 2006 18:43, Elliot Lee wrote:
>> Thinking about it some more (now that I realized it's in the context
>> of hosting projects) - you're going to want to have a separate
>> account system group for each hosted project.
>
> Why would that be?  At least with trac, all fedora users are  
> treated the same
> as anonymous, but you could get your name attached to a bug (and  
> thus emails)
> and wiki changes.  Account privilege escalation can be done within  
> the Trac
> instance itself, through the webadmin tool.  Why would we need a  
> different
> account system?

(To recap, I suggested a different account system _group_, not an  
entirely different account system.)

> Why wouldn't the Fedora account system work and just allow
> any user that has CLA signed to create a project or login to  
> participate with
> a name to an existing project?

I think that works within the context of Fedora as a whole, but  
moving into hosted territory means you have to adopt more of a  
sourceforge mentality, where your job is to give as much control as  
possible to the project owner, and let them make decisions such as  
who can participate. In order to let each project owner make access  
decisions independantly, you would need a separate account.

It sounds like trac has some 'webadmin' thing for controlling  
people's access - I think it's a bad idea to go with that. Properly  
tying trac into the Fedora account system means making it so that  
full control of both authentication & authorization is done through  
the FAS. In the long run, it'll be a lot nicer to be able to go to  
one place to control people's access levels for everything. (Not to  
say that FAS v1 is the right way to do it, just suggesting a good  
goal  for the future :)

Best,
-- Elliot