Open AlexSikilinda opened 7 years ago
NickCraver
commented
7 years ago This isn't the intent of the "EveryoneIsAnAdmin". A key aspect is you still need to login. Actions should still be traceable to you, including in exceptions, admin operations, etc.
EveryoneIsAnAdmin is also everyone who can log in is an admin, this may or may not be everyone. Such a view breaks that use case (and the intent above).
AlexSikilinda
commented
7 years ago Was under the impression that EveryonesAnAdminProvider means everyone can login + everyone is an admin, since ValidateUser always returns true:
public class EveryonesAnAdminProvider : SecurityProvider
{
public override bool IsAdmin => true;
internal override bool InAdminGroups(ISecurableModule settings) { return true; }
public override bool InGroups(string groupNames, string accountName) { return true; }
public override bool ValidateUser(string userName, string password) { return true; } // <-- here
}But I got your point about authenticating an admin, it's just a little bit confusing that you have to type a random password which actually isn't validated. Maybe the password input should be hidden on the login page, just wondering.
When EveryonesAnAdmin or EveryonesReadOnly is selected as the security provider users are redirected to the login page where they are supposed to type random login/password.
This commit introduces custom view which contains auto-submitted form so that users don't need to login.