[Checkins] SVN: z3c.password/branches/jw-noraise-for-irrelevant-requests/src/z3c/password/principal.txt add an edge-case test for requests following a TooManyLoginFailures error
Jan-Wijbrand Kolman
janwijbrand at gmail.com
Fri Feb 5 05:50:23 EST 2010
Log message for revision 108782:
add an edge-case test for requests following a TooManyLoginFailures error
Changed:
U z3c.password/branches/jw-noraise-for-irrelevant-requests/src/z3c/password/principal.txt
-=-
Modified: z3c.password/branches/jw-noraise-for-irrelevant-requests/src/z3c/password/principal.txt
===================================================================
--- z3c.password/branches/jw-noraise-for-irrelevant-requests/src/z3c/password/principal.txt 2010-02-05 09:29:14 UTC (rev 108781)
+++ z3c.password/branches/jw-noraise-for-irrelevant-requests/src/z3c/password/principal.txt 2010-02-05 10:50:23 UTC (rev 108782)
@@ -196,7 +196,7 @@
>>> user.failedAttemptCheck = interfaces.TML_CHECK_NONRESOURCE
Create our dummy request:
-Watch out! this is a request for a resource (/@@/)
+Watch out! this is a request for a resource (note the "/@@/" in the URL)
>>> request = testing.TestBrowserRequest('http://localhost/@@/logo.gif')
>>> zope.security.management.getInteraction().add(request)
@@ -273,7 +273,6 @@
0
Try a POST request. What a loginform usually is.
-(Note, that the request gets examined only if the password does not match.)
>>> zope.security.management.getInteraction().remove(request)
>>> request = testing.TestBrowserRequest('http://localhost/loginform.html',
@@ -614,7 +613,6 @@
0
Try a POST request. What a loginform usually is.
-(Note, that the request gets examined only if the password does not match.)
>>> zope.security.management.getInteraction().remove(request)
>>> request = testing.TestBrowserRequest('http://localhost/loginform.html',
@@ -1007,8 +1005,44 @@
>>> user.lastFailedAttempt is None
True
+After the maximum amount of failed attempts has been reached, subsequent
+login attempts will raise an error. This error should however only be raised
+for these types of requests that were relevant to the counting failed
+attempts.
+ >>> # Set a POST request, as only this type of request will be counted for.
+ >>> request = testing.TestBrowserRequest(
+ ... 'http://localhost/index.html', 'POST')
+ >>> zope.security.management.getInteraction().add(request)
+ >>> poptions.failedAttemptCheck = interfaces.TML_CHECK_POSTONLY
+ >>> poptions.maxFailedAttempts = 2
+ >>> user = MyPrincipal('srichter', '123123', u'Stephan Richter')
+ >>> user.checkPassword('wrong_once')
+ False
+ >>> user.failedAttempts
+ 1
+
+ >>> user.checkPassword('wrong_twice')
+ False
+ >>> user.failedAttempts
+ 2
+
+ >>> user.checkPassword('wrong_three_times')
+ Traceback (most recent call last):
+ ...
+ TooManyLoginFailures: The password was entered incorrectly too often.
+
+ >>> # Set a GET request. This should not raise any error.
+ >>> zope.security.management.getInteraction().remove(request)
+ >>> request = testing.TestBrowserRequest(
+ ... 'http://localhost/@@/logo.gif', 'GET')
+ >>> zope.security.management.getInteraction().add(request)
+
+ >>> user.checkPassword('wrong_four_times')
+ False
+
+
``passwordSetOn`` might happen to be None.
In case the mixin gets applied to the user object after it's been created
the ``passwordSetOn`` property will be None. That caused a bug.
More information about the checkins
mailing list