[Zope] Re: Zope digest, Vol 1 #616 - 60 msgs

Tres Seaver tseaver@palladion.com
Mon, 07 Feb 2000 16:47:24 -0600


> From: 
> Organization: Digital Creations
> To: "Cornelis J. de Brabander" <brabander@fsw.LeidenUniv.nl>
> CC: zope <zope@zope.org>
> Subject: Re: [Zope] upgrading to 2.1.3 and acl_users
> 
> Cornelius,
> 
> I noticed this too the other day.
> 
> It's a form problem.  It's not a serious issue, just that the form that
> comes with 2.1.3 (and 2.1.2, and maybe even 2.1.0) for editing users
> doesn't have the proper DTML to show the old username and password.  I'm
> not even sure that this wasn't a feature.
> 
> I will either fix it or put it in the collector soon.

NOOOOOOOO!  It was an awful security hole to echo the existing password out the
the User edit form -- please don't put it back!  Think about it -- on a Unix
system, even root can't read another users password, but only reset it.  This is
the Right Thing (TM) for Zope to do.


> 
> "Cornelis J. de Brabander" wrote:
> >
> > Hi,
> > I have performed an upgrade from 2.0.0 tot 2.1.3. (Windows NT) by copying
> > the data.fs.* to the var directory of the new Zope install. Both services
> > were stopped during copy. All went well, but in all acl_users folders the
> > passwords appear to have disappeared: in the manage screen of acl_users, the
> > password and confirm fields are empty. However, the site functions as it
> > should: where required access is only granted after inputting the original
> > password that belonged to a user in the 2.0.0-version. Does anybody have a
> > clue about what could have happened, respectively whether this is a
> > forerunner of trouble?
> > cb


-- 
=========================================================
Tres Seaver         tseaver@palladion.com    713-523-6582
Palladion Software  http://www.palladion.com