I tend to agree that Disabled means they shouldn't be able to gain access to the system....but yes, there is a veritable spiderweb of considerations to take into account to consider it a 'quick 10 min fix'. :)
On Thu, Jan 30, 2014 at 2:55 PM, John Baker <jba...@javasystemsolutions.com>wrote: > LJ > > I think that disabled means disabled. It doesn't mean anything else. :) > > You make a good point about the error message, but that's easy to solve > - re-use the existing user/password error. But actually, I think it's > fairly well accepted that it's safe to tell a user their account is > disabled [and please call the service desk]. > > Once upon a time, I saw a flow chart of all the possible combinations of > AR System authentication. The BMC chap presenting it had about four > slides of spider diagrams. I suspect the real reason that it's hard to > add an if statement is the code for authentication has morphed into > something no-one ever wants to touch, with all the edge cases you > discuss (guest users, etc). But there's a good solution - remove it all, > remove the legacy features, remove chaining, and implement AREA or AR > System. I'm not even sure I'd allow "guest users" to persist, but there > are a couple of SSO Plugin customers who use it. > > > John > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"