[Checkins] SVN: PluggableAuthService/branches/1.5/ Merge r78370
from trunk. This is a security fix: without it we could mix up users
Wichert Akkerman
wichert at wiggy.net
Tue Sep 11 06:12:21 EDT 2007
Log message for revision 79562:
Merge r78370 from trunk. This is a security fix: without it we could mix up users
Changed:
U PluggableAuthService/branches/1.5/PluggableAuthService.py
U PluggableAuthService/branches/1.5/tests/test_PluggableAuthService.py
-=-
Modified: PluggableAuthService/branches/1.5/PluggableAuthService.py
===================================================================
--- PluggableAuthService/branches/1.5/PluggableAuthService.py 2007-09-11 09:47:07 UTC (rev 79561)
+++ PluggableAuthService/branches/1.5/PluggableAuthService.py 2007-09-11 10:12:20 UTC (rev 79562)
@@ -761,11 +761,10 @@
""" user_id -> info_dict or None
"""
- criteria = {}
+ criteria = {'exact_match': True}
if user_id is not None:
criteria[ 'id' ] = user_id
- criteria[ 'exact_match' ] = True
if login is not None:
criteria[ 'login' ] = login
Modified: PluggableAuthService/branches/1.5/tests/test_PluggableAuthService.py
===================================================================
--- PluggableAuthService/branches/1.5/tests/test_PluggableAuthService.py 2007-09-11 09:47:07 UTC (rev 79561)
+++ PluggableAuthService/branches/1.5/tests/test_PluggableAuthService.py 2007-09-11 10:12:20 UTC (rev 79562)
@@ -61,6 +61,45 @@
return ()
+class DummyMultiUserEnumerator( DummyPlugin ):
+
+ def __init__( self, pluginid, *users ):
+
+ self.PLUGINID = pluginid
+
+ self.users = users
+
+ def enumerateUsers( self, id=None, login=None,
+ exact_match=False ):
+
+ results = []
+
+ for info in self.users:
+ id_match = False
+ if id:
+ if exact_match:
+ if info['id'] == id:
+ id_match = True
+ elif info['id'].find(id) != -1:
+ id_match = True
+ else:
+ id_match = True
+
+ login_match = False
+ if login:
+ if exact_match:
+ if info['login'] == login:
+ login_match = True
+ elif info['login'].find(login) != -1:
+ login_match = True
+ else:
+ login_match = True
+
+ if id_match and login_match:
+ results.append(info)
+
+ return tuple(results)
+
class DummyGroupEnumerator( DummyPlugin ):
def __init__( self, group_id ):
@@ -1042,6 +1081,30 @@
self.failUnless( zcuf._verifyUser( zcuf.plugins
, login='bar at example.com' ) )
+ def test__verifyUser_login_userid( self ):
+
+ from Products.PluggableAuthService.interfaces.plugins \
+ import IUserEnumerationPlugin
+
+ plugins = self._makePlugins()
+ zcuf = self._makeOne( plugins )
+
+ enumerator = DummyMultiUserEnumerator(
+ 'enumerator',
+ {'id': 'foo', 'login': 'foobar'},
+ {'id': 'bar', 'login': 'foo'})
+ directlyProvides( enumerator, IUserEnumerationPlugin )
+ zcuf._setObject( 'enumerator', enumerator )
+
+ plugins = zcuf._getOb( 'plugins' )
+
+ plugins.activatePlugin( IUserEnumerationPlugin, 'enumerator' )
+
+ self.failUnless(
+ zcuf._verifyUser(plugins, login='foo')['id'] == 'bar')
+ self.failUnless(
+ zcuf._verifyUser(plugins, login='foobar')['id'] == 'foo')
+
def test__findUser_no_plugins( self ):
plugins = self._makePlugins()
More information about the Checkins
mailing list