Photo Organizer

  • Status Closed
  • Percent Complete
  • Task Type Feature Request
  • Category Backend / Core
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version 2.36
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Photo Organizer
Opened by kaz - 2010-08-09
Last edited by pizza - 2010-10-11

FS#434 - Alternative authentication desired.

It would be good to be able to disable the e-mail registration mechanism and use some other means of authentication. For instance, Linux passwords!

I don't want strange people going into my server, registering accounts and uploading pictures. Moreover, I don't want authorized users to have to go through a registration dance to obtain yet another password. This is one of the things many people hate about websites!!! Everyone and his dog wants you to register a user name and password, then validate it through e-mail (and this is one of the bad qualities of the online photo management companies we can avoid by running it ourelves).

I would like to be able to create an account for someone at the OS level, and then have that user name and password simply work in every application.

Closed by  pizza
2010-10-11 16:13
Reason for closing:  Won't implement
Additional comments about closing:  I won't code up a PAM auth plugin due to it requiring the webserver running as root. Everything else mentioned in this ticket is already supported, so I'm closing this.
pizza commented on 2010-08-09 03:33

A few points -- you don't have to allow open registration, and even if you do, defaults can be set to prevent those new users from uploading things. Second, I had to implement a two-phase registration system (ie email verification) in order to cut down on spammers mass-creating accounts. (yes, even something as obscure as PO has had spambots attack it) Alternatively, admin users can create new accounts (and set their passwords). Third, users don't have to register to get access to anything; you can password-protect folders/albums and hand those passwords to whomever you want. No registration required.

But all that is besides your apparent point -- you want PO to be able to use an external authentication mechanism, and more specifically, the host server accounts.

PO already supports pluggable authentication -- currently there are plugins for PO's own internal database (which allows registration), an arbitrary external database, or LDAP. Writing a new auth plugin is as straightforward as whatever you're trying to authenticate against.

If you're wedded to authentication against system accounts -- presumably you're running on Linux here -- that will require PAM and subsequently operating the webserver as root, which is not something generally recommended. There's no inherent reason that a PAM auth module can't be written, but I personally have no use for it (and I'm not going to run a public-facing PHP-enabled web server as root either!)

It's worth mentioning that any large-ish scale multi-user system won't be using PAM/system accounts for authentication; indeed the "system" accounts typically authenticate against an external auth service, usually a database or LDAP.

I've also considered implementing a generic OpenID consumer, but I haven't found an OpenID provider I'm remotely happy with yet, and if I can't self-host in a sane manner, it's not worth the effort yet.

pizza commented on 2010-08-09 03:52

I think that came off as harsh, but that wasn't intentional.

Basically, a PAM authentication plugin is something I've looked into before, and is pretty low on my priority list given its limited usefulness..

(and the proliferation of account credentials annoys me to no end too.. everything I use is self-hosted, and most of it ties into the same authentication backend)


Available keyboard shortcuts


Task Details

Task Editing