[Checkins] SVN: Products.PluggableAuthService/trunk/ In authenticateCredentials do NOT fall back to using the login as userid.
Maurits van Rees
cvs-admin at zope.org
Wed Apr 18 14:04:38 UTC 2012
Log message for revision 125172:
In authenticateCredentials do NOT fall back to using the login as userid.
This gives a high chance of seeming to log in successfully, but in
reality failing.
Changed:
U Products.PluggableAuthService/trunk/CHANGES.txt
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/ZODBUserManager.py
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_ZODBUserManager.py
-=-
Modified: Products.PluggableAuthService/trunk/CHANGES.txt
===================================================================
--- Products.PluggableAuthService/trunk/CHANGES.txt 2012-04-18 13:50:19 UTC (rev 125171)
+++ Products.PluggableAuthService/trunk/CHANGES.txt 2012-04-18 14:04:35 UTC (rev 125172)
@@ -4,7 +4,12 @@
1.7.8 (unreleased)
------------------
+- In authenticateCredentials do NOT fall back to using the login as
+ userid when there is no match, as that gives a high chance of
+ seeming to log in successfully, but in reality failing.
+ [maurits]
+
1.7.7 (2012-02-27)
------------------
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/ZODBUserManager.py
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/ZODBUserManager.py 2012-04-18 13:50:19 UTC (rev 125171)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/ZODBUserManager.py 2012-04-18 14:04:35 UTC (rev 125172)
@@ -102,7 +102,21 @@
if login is None or password is None:
return None
- userid = self._login_to_userid.get( login, login )
+ # Do we have a link between login and userid? Do NOT fall
+ # back to using the login as userid when there is no match, as
+ # that gives a high chance of seeming to log in successfully,
+ # but in reality failing.
+ userid = self._login_to_userid.get(login)
+ if userid is None:
+ # Someone may be logging in with a userid instead of a
+ # login name and the two are not the same. We could try
+ # turning those around, but really we should just fail.
+ #
+ # userid = login
+ # login = self._userid_to_login.get(userid)
+ # if login is None:
+ # return None
+ return None
reference = self._user_passwords.get(userid)
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_ZODBUserManager.py
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_ZODBUserManager.py 2012-04-18 13:50:19 UTC (rev 125171)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_ZODBUserManager.py 2012-04-18 14:04:35 UTC (rev 125172)
@@ -146,6 +146,20 @@
self.assertEqual( user_id, 'userid' )
self.assertEqual( login, 'userid at example.com' )
+ def test_authenticateCredentials_only_matches_login_name( self ):
+ # When userid and login name are different, then
+ # authentication with the userid should fail. Alternatively,
+ # perhaps it would not be too bad, but we should definitely
+ # NOT return the userid as the login name, which was the
+ # previous behaviour, as this makes us appear to login but it
+ # fails a bit later on anyway.
+ zum = self._makeOne()
+
+ zum.addUser( 'userid', 'userid at example.com', 'password' )
+
+ self.assertEqual(zum.authenticateCredentials(
+ { 'login' : 'userid' , 'password' : 'password'}), None)
+
def test_enumerateUsers_no_criteria( self ):
from Products.PluggableAuthService.tests.test_PluggableAuthService \
More information about the checkins
mailing list