Am I being a reputable professional if I give in to these demands?

Who is making the demand? Are you an employee? Contractor? It sounds like the requirements are at fault, not you. You can disagree with the requirements all you like, but if they are requirements and it is your job to implement them... well, that should answer your question. You can question why, suggest alternatives, and shake your head in disbelief all you want, but at the end of the day, a professional is going to give his client what the client needs. Just make sure it is all written out very clearly (and record your misgivings) so that, if it all goes horribly wrong, at least you will be absolved.

So therefore.. what should be my main authority on users, the db or the filesystem?

Keep the auth data centralized. Your idea of using a file called "joe" to provide access to the project that file resides in is an unsecure and unmaintainable mess waiting to happen.

-sauoq
"My two cents aren't worth a dime.";