tseaver at palladion
Dec 27, 2012, 11:52 AM
Post #2 of 2
(232 views)
Permalink
|
|
Re: PAS: authenticateCredentials: check lowercase too?
[In reply to]
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
(PAS stuff is OT for the CMF list. Please follow up on zope-pas [at] zope
or the equivalent Gmane newsgroup).
On 12/27/2012 01:22 PM, Maurits van Rees wrote:
> Hi,
>
> In Products/PluggableAuthService/plugins/ZODBUserManager.py I would
> like to check the lower case version of the passed login name as
> well:
>
> def authenticateCredentials( self, credentials ): login =
> credentials.get( 'login' ) password = credentials.get( 'password' ) if
> login is None or password is None: return None userid =
> self._login_to_userid.get(login) if userid is None: # HERE STARTS THE
> EXTRA CODE: login = login.lower() userid =
> self._login_to_userid.get(login) if userid: # Update the login in the
> credentials, as they might # be used elsewhere. credentials['login'] =
> login else: return None # HERE ENDS THE EXTRA CODE. reference =
> self._user_passwords.get(userid) if reference is None: return None ...
> # etcetera
>
>
> For example, in the case of Plone, we may be using the email address
> as login name. Some people use a mix of upper and lower case in their
> email address, for example "Maurits at VanRees.Org". When logging in
> fails, they start to wonder whether they have remembered their
> password wrongly or if they have entered their email address in lower
> case or if they have capitalized it differently. The result: a
> support call.
>
> I have seen this happen several times for a customer and have heard
> the same from one other person on the plone core developers list.
>
> It would help if PAS would first check with the exact spelling given
> and if that fails, try the completely lowercase version. Note that
> this should be safe: if this somehow gets a different user id than
> intended, the password should still match that user.
>
> I have used the above code in a patch in the collective.emaillogin
> add-on in Plone 3 for a long time now and have not had complaints
> since. Of course it has more patches that make sure that the login
> name is actually lowercased before adding a new user, but that is
> outside the scope of this mail.
>
> I think the above code would be fine to put in core PAS. It is safe
> as far as I can tell and the extra processing time required when a
> login fails should be small. Is anyone against that?
I would prefer to have the case insensitivity be a configurable option of
the plugin (in which case it would always lowercase the login when the
user was created or updates, as well as before comparing).
> By the way, I remember having seen somewhere in PAS or PlonePAS or
> somewhere else a while ago a class that had a boolean attribute called
> something like '__case_insensitive', which was False by default.
> That was intended to do something similar, but it did not work when I
> tried using it. This is all very vague and I cannot find it back.
> Maybe it was simply removed. But does this ring a bell for anyone?
I don't remember such an attribute.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver [at] palladion
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDcpvcACgkQ+gerLs4ltQ53LwCfeaAllOQ08ETjIIy4FefEWHWF
mAYAn2vqKQ3O33WAM1KYWVVmYLW4+6iU
=Bi/3
-----END PGP SIGNATURE-----
_______________________________________________
Zope-CMF maillist - Zope-CMF [at] zope
https://mail.zope.org/mailman/listinfo/zope-cmf
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
|
