Douglas Mayle <> added the comment:

Chris, I actually wrote a mock (using import hooks) that would allow me to
simulate not being able to import a module, even if it's really available.  This
should allow us to get a higher coverage.  Unfortunately, without bcrypt
installed, we couldn't get full coverage...

As to backwards compatibility, the current implementation remains 100% backwards
compatibility, including an existing bug when using cleartext passwords.  (Using
cleartext passwords, it is possible for a user to enter a password that has the
same format as a hashed password, making it impossible to login).

Using cleartext passwords is almost always a bad idea, and if you're doing so
and you absolutely insist on keeping them that way, this code won't try to
prevent you from doing so, and even offers an alternative to fix this bug...
(Prefixing all cleartext passwords with {clear} will prevent the bug from
occurring)  The other possibility, not mentioned here is to hash all passwords
in the database, or as the users log in (since that gives you access to the
cleartext password, it is easy to change the hashes).

Ok, so that only covers the first half of your comments... I'll look at my code
for the rest...


Repoze Bugs <>
Repoze-dev mailing list

Reply via email to