Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Jochen Luig wrote: Hi, I stumbled upon a feature of the Authentication Plugin today (Yes I was the guy who used Ash's cardboard cutout programmer service earlier today on #catalyst, so thanks again, Ash ;-) My configuration was something like this: authentication: default_realm: users realms: users: credential: class: Password user_field: login password_field: password password_type: clear store: class: DBIx::Class user_class: MyAppDB::Users role_class: MyAppDB::Roles role_field: title role_relation: user_roles user_role_user_field: user_id but the $userinfo hash I passed to the authenticate() method looked like this my $userinfo = { username = $login, password = $password} Thus, Catalyst logged in the first user in the MyAppDB::Users table if I provided the correct password regardless of what I supplied as a login (ok, the latter is obvious). Does the plugin try to DWIM by using the first user it happens to stumble upon and using his primary key as the login field? This is what I suspect because the (test-)user in question happened to have 1 as his primary key as well as in the 'login'-column. Maybe this is because of my limited idea of what $userinfo can be, but wouldn't a warning be suitable in such a case? It is A Feature. You've messed with parameters, username in userinfo, login in credential. my $userinfo = { login = $login, password = $password} will cure. Alex. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Hi Alex, It is A Feature. You've messed with parameters, username in userinfo, login in credential. my $userinfo = { login = $login, password = $password} will cure. Yes, I know. I found this out just as I was beginning to complain on #catalyst. I just wanted to know if I interpreted the behaviour (the primary key part) correctly and if my suggestion to issue a warning in such a case is off-base. Best regards, Jochen ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Hi Jochen, You are nearly there. The DBIx::Class store interprets the authinfo hash (almost) exactly like the condition argument to $resultset-search(); The 'almost' bit is that it will filter out any columns that aren't actually in the user class. So - if you provide it with an authinfo hash that has no fields that match the user class - what you get is: $resultset-search(undef)-first; Which will most likely return the first user in your table. So yes... in the rather unlikely event that the passwords happen to match, will get you logged in as that user. Jay On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote: Hi Alex, It is A Feature. You've messed with parameters, username in userinfo, login in credential. my $userinfo = { login = $login, password = $password} will cure. Yes, I know. I found this out just as I was beginning to complain on #catalyst. I just wanted to know if I interpreted the behaviour (the primary key part) correctly and if my suggestion to issue a warning in such a case is off-base. Best regards, Jochen ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ --- Those who can make you believe absurdities can make you commit atrocities. --Voltaire ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Upon consideration - I've decided to throw an exception if you try to always going to be an error and better to fail loudly than silently pass auth, even if it is unlikely that the passwords will match. I'll put this in the next release. You can still accomplish an empty search if you really want to by using the searchargs parameter... Jay On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote: Hi Alex, It is A Feature. You've messed with parameters, username in userinfo, login in credential. my $userinfo = { login = $login, password = $password} will cure. Yes, I know. I found this out just as I was beginning to complain on #catalyst. I just wanted to know if I interpreted the behaviour (the primary key part) correctly and if my suggestion to issue a warning in such a case is off-base. Best regards, Jochen ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ --- America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves. -- Abraham Lincoln ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Upon consideration - I've decided to throw an exception if you try to always going to be an error and better to fail loudly than silently pass auth, even if it is unlikely that the passwords will match. I'll put this in the next release. You can still accomplish an empty search if you really want to by using the searchargs parameter... Jay On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote: Hi Alex, It is A Feature. You've messed with parameters, username in userinfo, login in credential. my $userinfo = { login = $login, password = $password} will cure. Yes, I know. I found this out just as I was beginning to complain on #catalyst. I just wanted to know if I interpreted the behaviour (the primary key part) correctly and if my suggestion to issue a warning in such a case is off-base. Best regards, Jochen ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ --- America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves. -- Abraham Lincoln ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Upon consideration - I've decided to throw an exception if you try to always going to be an error and better to fail loudly than silently pass auth, even if it is unlikely that the passwords will match. I'll put this in the next release. You can still accomplish an empty search if you really want to by using the searchargs parameter... Jay On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote: Hi Alex, It is A Feature. You've messed with parameters, username in userinfo, login in credential. my $userinfo = { login = $login, password = $password} will cure. Yes, I know. I found this out just as I was beginning to complain on #catalyst. I just wanted to know if I interpreted the behaviour (the primary key part) correctly and if my suggestion to issue a warning in such a case is off-base. Best regards, Jochen ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ --- America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves. -- Abraham Lincoln ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Upon consideration - I've decided to throw an exception if you try to always going to be an error and better to fail loudly than silently pass auth, even if it is unlikely that the passwords will match. I'll put this in the next release. You can still accomplish an empty search if you really want to by using the searchargs parameter... Jay On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote: Hi Alex, It is A Feature. You've messed with parameters, username in userinfo, login in credential. my $userinfo = { login = $login, password = $password} will cure. Yes, I know. I found this out just as I was beginning to complain on #catalyst. I just wanted to know if I interpreted the behaviour (the primary key part) correctly and if my suggestion to issue a warning in such a case is off-base. Best regards, Jochen ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ --- America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves. -- Abraham Lincoln ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Upon consideration - I've decided to throw an exception if you try to always going to be an error and better to fail loudly than silently pass auth, even if it is unlikely that the passwords will match. I'll put this in the next release. You can still accomplish an empty search if you really want to by using the searchargs parameter... Jay On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote: Hi Alex, It is A Feature. You've messed with parameters, username in userinfo, login in credential. my $userinfo = { login = $login, password = $password} will cure. Yes, I know. I found this out just as I was beginning to complain on #catalyst. I just wanted to know if I interpreted the behaviour (the primary key part) correctly and if my suggestion to issue a warning in such a case is off-base. Best regards, Jochen ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ --- America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves. -- Abraham Lincoln ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Sorry all. Mail client went crazy. If you try to call authenticate with no valid fields from the user class - it will throw an exception - as of the next release. Jay On Mar 19, 2008, at 2:44 PM, Jay K wrote: Upon consideration - I've decided to throw an exception if you try to always going to be an error and better to fail loudly than silently pass auth, even if it is unlikely that the passwords will match. I'll put this in the next release. You can still accomplish an empty search if you really want to by using the searchargs parameter... Jay On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote: Hi Alex, It is A Feature. You've messed with parameters, username in userinfo, login in credential. my $userinfo = { login = $login, password = $password} will cure. Yes, I know. I found this out just as I was beginning to complain on #catalyst. I just wanted to know if I interpreted the behaviour (the primary key part) correctly and if my suggestion to issue a warning in such a case is off-base. Best regards, Jochen ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ --- America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves. -- Abraham Lincoln ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ --- For most things, throwing yourself at the wall over and over is a better way to improve than thinking hard about the wall and taking pictures of it. -- D.Litwack ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/