[Zope-PAS] dealing with deleted users
jens at dataflake.org
Sat May 27 17:45:10 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
I would have hoped for a few more opinions before doing that...
please don't be so quick next time.
On 27 May 2006, at 22:40, Wichert Akkerman wrote:
> Ok, I'll change PAS to behave like CookieCrumbler on trunk.
> Previously Chris McDonough wrote:
>> I imagine it's an accident of implementation.
>> On May 27, 2006, at 5:22 PM, Jens Vagelpohl wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> On 27 May 2006, at 20:37, Wichert Akkerman wrote:
>>>> I was investigating a plone bug (http://dev.plone.org/plone/ticket/
>>>> and it is caused by PAS behaviour. The problems boils down to
>>>> logic in
>>>> CookieAuthHelper.extractCredentials: if a cookie is present the
>>>> credentials are extracted from it and form fields are ignored. This
>>>> means that if we have a cookie containing credentials which no
>>>> authenticate it becomes impossible to login as a different user
>>>> the form data is never seen.
>>> Looking at the equivalent in the CookieCrumbler code (method
>>> modifyRequest) it seems the cookie crumber does it the other way
>>> around and will look for form data before looking for the cookie.
>>> I'd be interested to find out the rationale for weighting cookie
>>> information higher than form data. Does anyone remember?
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.1 (Darwin)
>>> -----END PGP SIGNATURE-----
>>> Zope-PAS mailing list
>>> Zope-PAS at zope.org
>> Zope-PAS mailing list
>> Zope-PAS at zope.org
> Wichert Akkerman <wichert at wiggy.net> It is simple to make things.
> http://www.wiggy.net/ It is hard to make things
> Zope-PAS mailing list
> Zope-PAS at zope.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Zope-PAS