Update of /cvsroot/mailman/mailman/Mailman
In directory usw-pr-cvs1:/tmp/cvs-serv19889
Modified Files:
SecurityManager.py
Log Message:
CheckCookie(): If the authcontext is AuthUser and the `user' argument
is false, then scan the cookie keys for user names. This is used in
private archive authentication (which doesn't have a user context in
the url), so that if a user has already authenticated to edit their
options, they get into the private archives with no login necessary.
Note that this does /not/ open a hole for user option pages because
those have a user context in the url which is passed to CheckCookie
and must match explicitly.
__checkone(): Does one authcontext/user authentication.
Index: SecurityManager.py
===================================================================
RCS file: /cvsroot/mailman/mailman/Mailman/SecurityManager.py,v
retrieving revision 2.5
retrieving revision 2.6
diff -C2 -r2.5 -r2.6
*** SecurityManager.py 2001/05/31 21:17:47 2.5
--- SecurityManager.py 2001/06/01 17:06:49 2.6
***************
*** 216,220 ****
# succeeded for the authorization context, we return 0 meaning the
# authentication failed.
! key, secret = self.AuthContextInfo(authcontext, user)
# Dig out the cookie data, which better be passed on this cgi
# environment variable. If there's no cookie data, we reject the
--- 216,220 ----
# succeeded for the authorization context, we return 0 meaning the
# authentication failed.
! #
# Dig out the cookie data, which better be passed on this cgi
# environment variable. If there's no cookie data, we reject the
***************
*** 224,227 ****
--- 224,253 ----
return 0
c = Cookie.Cookie(cookiedata)
+ # If the user was not supplied, but the authcontext is AuthUser, we
+ # can try to glean the user address from the cookie key. There may be
+ # more than one matching key (if the user has multiple accounts
+ # subscribed to this list), but any are okay.
+ if authcontext == mm_cfg.AuthUser:
+ if user:
+ usernames = [user]
+ else:
+ usernames = []
+ prefix = self.internal_name() + ':user:'
+ for k in c.keys():
+ if k.startswith(prefix):
+ usernames.append(k[len(prefix):])
+ # If any check out, we're golden
+ for user in usernames:
+ ok = self.__checkone(c, authcontext, user)
+ if ok:
+ return 1
+ return 0
+ else:
+ return self.__checkone(c, authcontext, user)
+
+ def __checkone(self, c, authcontext, user):
+ # Do the guts of the cookie check, for one authcontext/user
+ # combination.
+ key, secret = self.AuthContextInfo(authcontext, user)
if not c.has_key(key):
return 0
_______________________________________________
Mailman-checkins mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-checkins
