Hi,
I've been going through the modules/aaa directory
and found that modules there seem to implement both
authentication and authorization.
IMO this should be split. Auth and authz are
completely different things and it would be nice
to have different modules to do authentication
in a different way, but still utilize the same
authorization method.
To accomplish this, an extra field would be needed
in request_req (and that's probably not going
to happen): request_req->groups, which holds
a string with all the groups the authenticated
user belongs to.
Or, there could be a new hook which is used to
lookup the groups a user belongs to, or, if
a user belongs to a certain group. This hook
will be called whenever the framework equivalent
of this function is called.
Thoughts?
Sander
/me hides from the 'core stabilizers' that probably
are going to hate me for bringing this up.
