[Zope] Securing acl_users change password forms

Adam Manock abmanock@earthlink.net
Sun, 27 Jan 2002 11:46:22 -0500


Problem:

Allowing users who have no rights to the Zope management interface to 
change their own passwords using an dtml method that collects at least the 
following from the user:

Old Password
New Password
Confirm New Password

Creating a form to do this is easy if you're using XUF and you are storing 
account info in
a Postgres database for example (See pgAuthSource / pgAuthSourceAlt of 
exUserFolder)

When using stock acl_users I found it got a little ugly. I thought the 
below would work for checking that the user changing the password actually 
knew the old password and was not just someone walking up to someone else's 
computer at lunchtime:

<dtml-if "_.SecurityGetUser().authenticate(REQUEST.form['oldPassword'], 
REQUEST)">

But last time I looked it didn't work without making a change to Zope's 
AccessControl/User.py.

Changing this:

def __allow_access_to_unprotected_subobjects__(self, name, value=None):
         deny_names=('name', '__', 'roles', 'domains', '_getPassword',
                     'authenticate', '_shared_roles')
         if name in deny_names:
             return 0
         return 1

To this:

def __allow_access_to_unprotected_subobjects__(self, name, value=None):
         deny_names=('name', '__', 'roles', 'domains', '_getPassword',
                     '_shared_roles')
         if name in deny_names:
             return 0
         return 1

Of course doing that potentially opens up a whole new can of worms...

Am I missing something? Is there a way to do a change password form for 
users defined in acl_users that checks the old password first without also 
hacking User.py?

Adam