[Zope-CMF] PAS: authenticateCredentials: check lowercase too?

Thu Dec 27 19:52:23 UTC 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(PAS stuff is OT for the CMF list.  Please follow up on zope-pas at zope.org
or the equivalent Gmane newsgroup).

On 12/27/2012 01:22 PM, Maurits van Rees wrote:
> Hi,
> 
> In Products/PluggableAuthService/plugins/ZODBUserManager.py I would
> like to check the lower case version of the passed login name as
> well:
> 
> def authenticateCredentials( self, credentials ): login =
> credentials.get( 'login' ) password = credentials.get( 'password' ) if
> login is None or password is None: return None userid =
> self._login_to_userid.get(login) if userid is None: # HERE STARTS THE
> EXTRA CODE: login = login.lower() userid =
> self._login_to_userid.get(login) if userid: # Update the login in the
> credentials, as they might # be used elsewhere. credentials['login'] =
> login else: return None # HERE ENDS THE EXTRA CODE. reference =
> self._user_passwords.get(userid) if reference is None: return None ...
> # etcetera
> 
> 
> For example, in the case of Plone, we may be using the email address
> as login name.  Some people use a mix of upper and lower case in their
>  email address, for example "Maurits at VanRees.Org".  When logging in
>  fails, they start to wonder whether they have remembered their
> password wrongly or if they have entered their email address in lower
> case or if they have capitalized it differently.  The result: a
> support call.
> 
> I have seen this happen several times for a customer and have heard
> the same from one other person on the plone core developers list.
> 
> It would help if PAS would first check with the exact spelling given
> and if that fails, try the completely lowercase version.  Note that
> this should be safe: if this somehow gets a different user id than
> intended, the password should still match that user.
> 
> I have used the above code in a patch in the collective.emaillogin 
> add-on in Plone 3 for a long time now and have not had complaints
> since. Of course it has more patches that make sure that the login
> name is actually lowercased before adding a new user, but that is
> outside the scope of this mail.
> 
> I think the above code would be fine to put in core PAS.  It is safe
> as far as I can tell and the extra processing time required when a
> login fails should be small.  Is anyone against that?

I would prefer to have the case insensitivity be a configurable option of
the plugin (in which case it would always lowercase the login when the
user was created or updates, as well as before comparing).

> By the way, I remember having seen somewhere in PAS or PlonePAS or 
> somewhere else a while ago a class that had a boolean attribute called
>  something like '__case_insensitive', which was False by default.
> That was intended to do something similar, but it did not work when I
> tried using it.  This is all very vague and I cannot find it back.
> Maybe it was simply removed.  But does this ring a bell for anyone?

I don't remember such an attribute.

Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDcpvcACgkQ+gerLs4ltQ53LwCfeaAllOQ08ETjIIy4FefEWHWF
mAYAn2vqKQ3O33WAM1KYWVVmYLW4+6iU
=Bi/3
-----END PGP SIGNATURE-----