On Fri, Sep 10, 2004 at 09:34:54AM +0200, Ivan Popov wrote:
> it has been quite a few times I complained... :)

I know.

> http://www.coda.cs.cmu.edu/maillists/codalist/codalist-2003/5895.html
> http://www.coda.cs.cmu.edu/maillists/codalist/codalist-2004/6191.html
> 
> The semantical inconsistency is striking me again (and again :)
> so I am talking to raise the awareness of the problem.
> 
> Right now you can work
>  [ connected and authenticated ]
> or
>  [ disconnected using the cached rights on the cached objects ].
> 
> What is missing is
>  [ connected and using the cached rights on the cached objects ]

You missed 'connected and not authenticated'. Which makes your missing
state ambiguous.

Technically what happens is that we have a 'system:anyuser' user object
for unauthenticated/anonymous connections. When a user obtains a token
from the auth2 server he is given an authenticated user object for that
realm until the servers reject the credentials (bad credentials, or they
have expired). At that point the authenticated user object is destroyed
and we fall back to the unauthenticated system:anyuser. As long as we
are disconnected the servers can't tell us that the credentials are
invalid.

It is kind of like using an expired or stolen credit card, as long as
nobody checks the purchases go through, until we go to a place that
checks the expiry date or a list of stolen cards.

The thing with bad credentials is that it is impossible to set up a
working connection to the servers. So if we leave the authenticated user
object around, that user would in effect stay disconnected from the
servers even though other users can still fetch files and such. I don't
know how such a partly disconnected state would work reliably and it is
possibly even more confusing to the end user.

Jan