[Checkins] SVN: z3c.password/trunk/ Fix: ``disallowPasswordReuse`` must not check ``None`` passwords.

Tue Dec 8 08:49:15 EST 2009

Log message for revision 106278:
  Fix: ``disallowPasswordReuse`` must not check ``None`` passwords.

Changed:
  U   z3c.password/trunk/CHANGES.txt
  U   z3c.password/trunk/src/z3c/password/principal.py
  U   z3c.password/trunk/src/z3c/password/principal.txt

-=-
Modified: z3c.password/trunk/CHANGES.txt
===================================================================

--- z3c.password/trunk/CHANGES.txt	2009-12-08 12:17:31 UTC (rev 106277)
+++ z3c.password/trunk/CHANGES.txt	2009-12-08 13:49:15 UTC (rev 106278)
@@ -5,7 +5,7 @@
 0.8.0 (unreleased)
 ------------------
 
-- ...
+- Fix: ``disallowPasswordReuse`` must not check ``None`` passwords.
 
 0.7.2 (2009-08-07)
 ------------------

Modified: z3c.password/trunk/src/z3c/password/principal.py
===================================================================
--- z3c.password/trunk/src/z3c/password/principal.py	2009-12-08 12:17:31 UTC (rev 106277)
+++ z3c.password/trunk/src/z3c/password/principal.py	2009-12-08 13:49:15 UTC (rev 106278)
@@ -42,7 +42,7 @@
 
     def _checkDisallowedPreviousPassword(self, password):
         if self._disallowPasswordReuse():
-            if self.previousPasswords is not None:
+            if self.previousPasswords is not None and password is not None:
                 #hack, but this should work with zope.app.authentication and
                 #z3c.authenticator
                 passwordManager = self._getPasswordManager()
@@ -63,7 +63,8 @@
             if self.previousPasswords is None:
                 self.previousPasswords = persistent.list.PersistentList()
 
-            self.previousPasswords.append(self.password)
+            if self.password is not None:
+                self.previousPasswords.append(self.password)
 
         self.passwordSetOn = self.now()
         self.failedAttempts = 0

Modified: z3c.password/trunk/src/z3c/password/principal.txt
===================================================================
--- z3c.password/trunk/src/z3c/password/principal.txt	2009-12-08 12:17:31 UTC (rev 106277)
+++ z3c.password/trunk/src/z3c/password/principal.txt	2009-12-08 13:49:15 UTC (rev 106278)
@@ -660,7 +660,27 @@
 
   >>> user.setPassword('789789')
 
+Corner case. The password ``None`` is a special case, it signals that the
+user is disabled.
 
+But ``None`` works only with the ``Plain Text`` password manager.
+
+  >>> user.setPassword('790789', passwordManagerName="Plain Text")
+
+That means, it should be possible to set the password to ``None`` anytime,
+regardless of disallowPasswordReuse.
+
+  >>> user.setPassword(None)
+
+  >>> user.setPassword('890789')
+
+  >>> user.setPassword(None)
+
+  >>> user.setPassword('891789')
+
+  >>> user.setPassword(None)
+
+
 ``passwordOptionsUtilityName``
 ------------------------------
 

