[Checkins] SVN: Products.PluggableAuthService/trunk/ Launchpad #789858: don't allow conflicting login name in 'updateUser'.

Tres Seaver tseaver at palladion.com
Mon May 30 13:25:28 EDT 2011 

Log message for revision 121841:
  Launchpad #789858:  don't allow conflicting login name in 'updateUser'.
  

Changed:
  U   Products.PluggableAuthService/trunk/CHANGES.txt
  U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/ZODBUserManager.py
  U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_ZODBUserManager.py

-=-
Modified: Products.PluggableAuthService/trunk/CHANGES.txt
===================================================================
--- Products.PluggableAuthService/trunk/CHANGES.txt	2011-05-30 17:17:32 UTC (rev 121840)
+++ Products.PluggableAuthService/trunk/CHANGES.txt	2011-05-30 17:25:28 UTC (rev 121841)
@@ -4,6 +4,8 @@
 1.7.5 (unreleased)
 ------------------
 
+- Launchpad #789858:  don't allow conflicting login name in 'updateUser'.
+
 - Set appropriate cache headers on CookieAuthHelper login redirects to prevent
   caching by proxy servers.
 

Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/ZODBUserManager.py
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/ZODBUserManager.py	2011-05-30 17:17:32 UTC (rev 121840)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/ZODBUserManager.py	2011-05-30 17:25:28 UTC (rev 121841)
@@ -299,10 +299,15 @@
         # The following raises a KeyError if the user_id is invalid
         old_login = self.getLoginForUserId(user_id)
 
-        del self._login_to_userid[old_login]
-        self._login_to_userid[login_name] = user_id
-        self._userid_to_login[user_id] = login_name
+        if old_login != login_name:
 
+            if self._login_to_userid.get(login_name) is not None:
+                raise ValueError('Login name not available: %s' % login_name)
+
+            del self._login_to_userid[old_login]
+            self._login_to_userid[login_name] = user_id
+            self._userid_to_login[user_id] = login_name
+
     security.declarePrivate( 'removeUser' )
     def removeUser( self, user_id ):
 

Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_ZODBUserManager.py
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_ZODBUserManager.py	2011-05-30 17:17:32 UTC (rev 121840)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_ZODBUserManager.py	2011-05-30 17:25:28 UTC (rev 121841)
@@ -445,6 +445,17 @@
         self.assertEqual(user_id, 'user1')
         self.assertEqual(login, 'user1 at foobar.com')
 
+    def test_updateUser_login_name_conflicts(self):
+        # See https://bugs.launchpad.net/zope-pas/+bug/789858
+        zum = self._makeOne()
+
+        # Create a user and make sure we can authenticate with it
+        zum.addUser( 'user1', 'user1 at example.com', 'password' )
+        zum.addUser( 'user2', 'user2 at example.com', 'other' )
+
+        self.assertRaises(ValueError,
+                          zum.updateUser, 'user1', 'user2 at example.com')
+
     def test_enumerateUsersWithOptionalMangling(self):
 
         zum = self._makeOne()

More information about the checkins mailing list