Issue Type: Docs: Improvement Created: 2008-01-09T19:26:33.000+0000 Last Updated: 2008-02-26T12:56:02.000+0000 Status: Resolved Fix version(s): - 1.0.4 (26/Feb/08)
Reporter: Darby Felton (darby) Assignee: Ralph Schindler (ralph) Tags: - Zend_Auth
Related issues: - ZF-1680
To the Zend_Auth_Adapter_DbTable documentation should be added an example of how to extend the class in order to add arbitrary authentication criteria.
This solution would demonstrate to developers how to use custom authentication conditions such as: * the status field value of an account is not equal to "compromised", * the active field value of an account is equal to true, and * three unsuccessful login attempts having occurred in a certain timespan.
It may be helpful to convey that to achieve encapsulation of authentication with Zend_Auth, these criteria should only deal with authentication - the process of determining that an entity is (or most likely is) what it purports to be. That is, it may not a good idea generally to add conditions to the authentication mechanism that deal more with access control than with authentication, unless there is good reason to do so. As an example, consider the use case of "no logins allowed except from 8am-5pm". In many situations this policy would be considered an access control rule, since it may not deal directly with authentication. When Joe types his password into the form at 7:30am, does this mean that the application should operate under the assumption that it's not Joe making the request? It probably depends on the situation.
Posted by Ralph Schindler (ralph) on 2008-02-20T12:30:11.000+0000
Fixed in r8216.
I've added documentation to support the first two use cases you suggest. Although at this time, I think that the 3rd advanced usage case is too far outside the scope of Zend_Auth to be included in the manual. I think that for that level of advanced usage, you'd probably want to first visit Zend_Acl.
Have you found an issue?
See the Overview section for more details.