Authentication in 1.3 (was Re: State of Perl-based database setup utilities for LedgerSMB 1.3)

["David F. Skoll" <..hidden..>]

On Sat, 28 May 2011 10:07:56 -0700
Chris Travers <..hidden..> wrote:

> In other words, LedgerSMB doesn't authenticate users in 1.3, nor is it
> the final check against exceeding permissions.  These are both handled
> by PostgreSQL.

Really?

I was unaware of that.  I do not like that approach.  We run our LSMB
1.2 installation on a machine that says "local all all trust" in
pg_hba.conf; no normal users have accounts on that machine.

Making application users into database roles is a bad decision, IMO.
It forces you to use PostgreSQL's auth mechanism which, while
admittedly "mature and well-tested", might not be the most convenient
way to manage users in the application.  I hope that you rethink this.
It's a dealbreaker for me and means we can't use LSMB 1.3.

Regards,

David.