[Zope-PAS] dealing with deleted users
chrism at plope.com
Sat May 27 17:24:35 EDT 2006
I imagine it's an accident of implementation.
On May 27, 2006, at 5:22 PM, Jens Vagelpohl wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 27 May 2006, at 20:37, Wichert Akkerman wrote:
>> I was investigating a plone bug (http://dev.plone.org/plone/ticket/
>> and it is caused by PAS behaviour. The problems boils down to
>> logic in
>> CookieAuthHelper.extractCredentials: if a cookie is present the
>> credentials are extracted from it and form fields are ignored. This
>> means that if we have a cookie containing credentials which no longer
>> authenticate it becomes impossible to login as a different user since
>> the form data is never seen.
> Looking at the equivalent in the CookieCrumbler code (method
> modifyRequest) it seems the cookie crumber does it the other way
> around and will look for form data before looking for the cookie.
> I'd be interested to find out the rationale for weighting cookie
> information higher than form data. Does anyone remember?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
> -----END PGP SIGNATURE-----
> Zope-PAS mailing list
> Zope-PAS at zope.org
More information about the Zope-PAS