-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-7960 2010-05-05 07:16:13 --------------------------------------------------------------------------------
Name : python-repoze-who Product : Fedora 13 Version : 1.0.18 Release : 2.fc13 URL : http://pypi.python.org/pypi/repoze.who Summary : An identification and authentication framework for WSGI Description : repoze.who is an identification and authentication framework for arbitrary WSGI applications. It acts as WSGI middleware. repoze.who is inspired by Zope 2's Pluggable Authentication Service (PAS) (but repoze.who is not dependent on Zope in any way; it is useful for any WSGI application). It provides no facility for authorization (ensuring whether a user can or cannot perform the operation implied by the request). This is considered to be the domain of the WSGI application. -------------------------------------------------------------------------------- Update Information: 1.0.18 (2009-11-05) * Issue #104: AuthTkt plugin was passing an invalid cookie value in headers from forget, and was not setting the Max-Age and Expires attributes of those cookies. 1.0.17 (2009-11-05) * Fixed the repoze.who.plugins.form.make_plugin factory's formcallable argument handling, to allow passing in a dotted name (e.g., from a config file). 1.0.16 (2009-11-04) * Exposed formcallable argument for repoze.who.plugins.form.FormPlugin to the callers of the repoze.who.plugins.form.make_plugin factory. Thanks to Roland Hedburg for the report. * Fixed an issue that caused the following symptom when using the ini configuration parser: TypeError: _makePlugin() got multiple values for keyword argument 'name' See http://bugs.repoze.org/issue92 for more details. Thanks to vaab for the bug report and initial fix. 1.0.15 (2009-06-25) * If the form post value max_age exists while in the identify method is handling the login_handler_path, pass the max_age value in the returned identity dictionary as max_age. See the below bullet point for why. * If the identity dict passed to the auth_tkt remember method contains a max_age key with a string (or integer) value, treat it as a cue to set the Max-Age and Expires headers in the returned cookies. The cookie Max-Age is set to the value and the Expires is computed from the current time. 1.0.14 (2009-06-17) * Fix test breakage on Windows. See http://bugs.repoze.org/issue79 . * Documented issue with using include_ip setting in the auth_tkt plugin. See http://bugs.repoze.org/issue81 . * Added 'passthrough_challenge_decider', which avoids re-challenging 401 responses which have been "pre-challenged" by the application. * One-hundred percent unit test coverage. * Add timeout and reissue_time arguments to the auth_tkt identifier plugin, courtesty of Paul Johnston. * Add a userid_checker argument to the auth_tkt identifier plugin, courtesty of Gustavo Narea. If userid_checker is provided, it must be a dotted Python name that resolves to a function which accepts a userid and returns a boolean True or False, indicating whether that user exists in a database. This is a workaround. Due to a design bug in repoze.who, the only way who can check for user existence is to use one or more IAuthenticator plugin authenticate methods. If an IAuthenticator's authenticate method returns true, it means that the user exists. However most IAuthenticator plugins expect both a username and a password, and will return False unconditionally if both aren't supplied. This means that an authenticator can't be used to check if the user "only" exists. The identity provided by an auth_tkt does not contain a password to check against. The actual design bug in repoze.who is this: when a user presents credentials from an auth_tkt, he is considered "preauthenticated". IAuthenticator.authenticate is just never called for a "preauthenticated" identity, which works fine, but it means that the user will be considered authenticated even if you deleted the user's record from whatever database you happen to be using. However, if you use a userid_checker, you can ensure that a user exists for the auth_tkt supplied userid. If the userid_checker returns False, the auth_tkt credentials are considered "no good". -------------------------------------------------------------------------------- ChangeLog: * Tue May 4 2010 Luke Macken <[email protected]> - 1.0.18-2 - Run the test suite in %check * Mon Apr 26 2010 Felix Schwarz <[email protected]> - 1.0.18-1 - Update to the latest upstream release. -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update python-repoze-who' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
