[Mailman-Developers] Login / User Identification Issues in MM3

Wed Jul 11 08:55:25 CEST 2012

On 12-07-10 11:12 PM, Stephen J. Turnbull wrote:
> But isn't that going to take us a long way down the road where we
> anoint Postorius the one-and-only admin interface?  If that really
> needs to be, OK, but I don't much like it.  Among other things, it
> will make the design and detailed UI of Postorius a focus of
> discussion for everybody concerned with Mailman 3.  And it makes the
> option to "build one to throw away" much more difficult -- the design
> decisions already made, and will be made in the near future, will
> probably live as long as Pipermail has (and Pipermail will continue
> for several more years, at least!)

I think it may be possible that the core authentication stuff can be 
pushed into REST without tying us to postorius forever, but I haven't 
got it quite set in my head how that will go yet.

* Right now, Postorious can do logins based on email/password pairs in 
REST.

* We'd like to do BrowserId, which only needs the email (and we're 
trusting the browser to do the authentication) so that shouldn't be a 
problem.  BrowserID was not completely implemented when I last played in 
there... unless someone else has finished the hookup, please do not 
assume that it's fully working and feel free to file bugs so what's not 
working is clearly indicated somewhere other than my head. ;)  Right 
now, it generates a login, but has no useful interaction with REST settings.

*  We'd also like to do openid, which means we need to somehow associate 
an openid token with an email address.

So right now, postorius needs email address, username (for direct 
authentication), and potentially a list of openid or other tokens.  
That's a small enough list that we may be able to justify making mailman 
core aware of a small token list (or a single openid token?), or we can 
let postorius handle that and have core only understand "I am the owner 
of this email address -- let me see the associated settings of me."  I 
think my preference would be to have mailman understand more than 
email/password authentication, because I think it'll make things easier 
and not have us duplicating data in hyperkitty etc, though.

The messy part, IMO, is what to do with the non-authentication user 
data. I'm guessing we'll probably want some sort of theme preference 
data (possibly shared between postorius/hyperkitty/others?).  Not sure 
what else.  That stuff... really doesn't have much place in core, but 
probably will need to be shared between several web components... do we 
have a second rest server for user data?