requirements for accounts in next pinax release

2 views
Skip to first unread message

James Tauber

unread,
Oct 30, 2008, 3:29:24 AM10/30/08
to pinax...@googlegroups.com
For the next release, one thing I'm working on is supercharging the
account app to handle a variety of different signup workflows, etc.

After a discussion on the IRC channel, I came up with the following 12
requirements of what Pinax should let site developers control about
their site's account management.


REQUIREMENTS FOR ACCOUNTS IN NEXT PINAX RELEASE

Site developers *may* want their site to:

ACC-1: not support openid at all
ACC-2: *only* use openid and not username passwords at all
ACC-3: not have any signup, just rely on admin-created accounts (with
a temp password emailed *or* admin just adds the openid)
ACC-4: have a waiting list where users "apply" for an account and an
admin approves (with batch support)
ACC-5: be in private beta where users get a certain number of invites
they can hand out
ACC-6: use token-based password reset rather than emailing passwords
ACC-7: support multiple levels of user (although this isn't the place
to manage permissions or subscription payments)
ACC-8: allow people to use their primary email address as an
alternative to username when logging in
ACC-9: not have usernames at all and just use email address (this is a
significant change throughout the rest of the apps, I suspect)
ACC-10: require email confirmation before login can take place
ACC-11: let the user in on signup but still require them to click on
token url in email to be allowed to login subsequently
ACC-12: resend signup email confirmations with exponential backoff
(also spread across day of the week)


If you have any additional ideas or design input into any of the
above, let us know.


James

Tom Bennett

unread,
Oct 30, 2008, 9:02:54 AM10/30/08
to pinax...@googlegroups.com
For intranet support, it would be nice if login could just be linked to the local password file or NIS DB (and possibly active directory). In this workflow, there would be no sign up option, and you'd instantiate the pinax account on the initial login after validating the credentials of the user. 

From an audit perspective this seems a good thing to do for intranet support because it plugs a potential security hole in the software by only allowing people with a valid corporate username and password to access the information on the site.

Most of our other intranet sites requiring authentication allow you to do this, and it greatly simplifies things on the user side if you can just use your corporate login. 

Thanks!

-tom  


From: James Tauber <jta...@jtauber.com>
To: pinax...@googlegroups.com
Sent: Thursday, October 30, 2008 3:29:24 AM
Subject: [pinax-users] requirements for accounts in next pinax release

Wes Winham

unread,
Oct 30, 2008, 9:40:25 AM10/30/08
to Pinax Users
ACC-9 is something that I've been implementing with 1-off
customization. It would be wonderful for that to be a configuration
option.

-wes

On Oct 30, 9:02 am, Tom Bennett <thomaswbenn...@yahoo.com> wrote:
> For intranet support, it would be nice if login could just be linked to the local password file or NIS DB (and possibly active directory). In this workflow, there would be no sign up option, and you'd instantiate the pinax account on the initial login after validating the credentials of the user.
>
> From an audit perspective this seems a good thing to do for intranet support because it plugs a potential security hole in the software by only allowing people with a valid corporate username and password to access the information on the site.
>
> Most of our other intranet sites requiring authentication allow you to do this, and it greatly simplifies things on the user side if you can just use your corporate login.
>
> Thanks!
>
> -tom  
>
> ________________________________
> From: James Tauber <jtau...@jtauber.com>

Peter Herndon

unread,
Oct 30, 2008, 10:11:11 AM10/30/08
to pinax...@googlegroups.com
+1 for Tom's suggestion. I have an upcoming project that Pinax would
make easier, but I'd be doing authZ against corporate LDAP. Having
that be a configurable option in Pinax would make my life much easier.
Allowing for authN based on LDAP group memberships would make my
life easier still.

Adam Nelson

unread,
Oct 30, 2008, 2:56:58 PM10/30/08
to pinax...@googlegroups.com
+1 for LDAP if we're going down this road.  LDAP would be the most useful before other authentication options and it should be relatively straightforward with existing Django LDAP backends.

James Tauber

unread,
Oct 30, 2008, 3:02:44 PM10/30/08
to pinax...@googlegroups.com
Anyone volunteer to do LDAP support? That can be ACC-13.

Any other backends? Tom mentions local password file and NIS.

(Note I'm looking for implementation offers, not feature requests
now :-)

Adam Nelson

unread,
Oct 30, 2008, 3:05:24 PM10/30/08
to pinax...@googlegroups.com
Where is the list of open projects? 

I'll take one on - but I have no use for LDAP right now.

Nicola Larosa

unread,
Oct 30, 2008, 3:36:43 PM10/30/08
to pinax...@googlegroups.com
James Tauber wrote:
> (Note I'm looking for implementation offers, not feature requests now
> :-)

I'm going to need ACC-3, ACC-8 and ACC-10 soon, and am willing and able
(I like that phrase ;-) ) to work on them. How do we go about it?

--
Nicola Larosa - http://www.tekNico.net/

Tell me, and I will forget;
show me, and I may remember;
involve me, and I will understand.
- Confucius, 450 B.C.

James Tauber

unread,
Oct 30, 2008, 4:04:01 PM10/30/08
to pinax...@googlegroups.com

> James Tauber wrote:
>> (Note I'm looking for implementation offers, not feature requests
>> now :-)

btw, I didn't mean in general, I just meant regarding authentication
backends. Still open to feature requests on accounts in general.

James

James Tauber

unread,
Oct 30, 2008, 4:20:37 PM10/30/08
to pinax...@googlegroups.com
On Oct 30, 2008, at 3:36 PM, Nicola Larosa wrote:

>
> James Tauber wrote:
>> (Note I'm looking for implementation offers, not feature requests now
>> :-)
>
> I'm going to need ACC-3, ACC-8 and ACC-10 soon, and am willing and
> able
> (I like that phrase ;-) ) to work on them. How do we go about it?

Let's start with posting patches as issues to django-hotclub on c.g.c

btw, I've created http://code.google.com/p/django-hotclub/wiki/AccountRequirements
with the requirements list (including LDAP)

I can edit that as we go to mark what's done, in progress, etc.

Should I just go ahead and mark 3, 8 and 10 as being worked on by you?

Let's move discussion of nitty gritty design issues to pinax-core-dev

James

Fernando Correia

unread,
Oct 30, 2008, 5:28:36 PM10/30/08
to pinax...@googlegroups.com
2008/10/30 James Tauber <jta...@jtauber.com>:

> btw, I didn't mean in general, I just meant regarding authentication
> backends. Still open to feature requests on accounts in general.

There is an interesting article on this subject:

The Perfect Login
http://virteal.com/ThePerfectLogin

James Tauber

unread,
Oct 30, 2008, 5:48:20 PM10/30/08
to pinax...@googlegroups.com
Yeah, not sure I agree with *everything* in it, though :-)

Fernando Correia

unread,
Oct 30, 2008, 5:51:28 PM10/30/08
to pinax...@googlegroups.com
Oh, of course. Me neither. But it may spark some idea.

Nicola Larosa

unread,
Oct 30, 2008, 6:46:40 PM10/30/08
to pinax...@googlegroups.com
James Tauber wrote:
> Should I just go ahead and mark 3, 8 and 10 as being worked on by you?

Well, you could, if I had some definite idea of what to actually *do*. :-)


> Let's move discussion of nitty gritty design issues to pinax-core-dev

Ehi, what's that? It's the first time I hear about it, and even the
mighty Google does not seem to know anything about it.

James Tauber

unread,
Oct 30, 2008, 7:03:58 PM10/30/08
to pinax...@googlegroups.com
On Oct 30, 2008, at 6:46 PM, Nicola Larosa wrote:
>
>> Let's move discussion of nitty gritty design issues to pinax-core-dev
>
> Ehi, what's that? It's the first time I hear about it, and even the
> mighty Google does not seem to know anything about it.

Funny given it's hosted by Google :-)

http://groups.google.com/group/pinax-core-dev

James

Reply all
Reply to author
Forward
0 new messages