Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Jochen Luig wrote:
Hi,
I stumbled upon a feature of the Authentication Plugin today
(Yes I was the guy who used Ash's cardboard cutout programmer service
earlier today on #catalyst, so thanks again, Ash ;-)
My configuration was something like this:
authentication:
default_realm: users
realms:
users:
credential:
class: Password
user_field: login
password_field: password
password_type: clear
store:
class: DBIx::Class
user_class: MyAppDB::Users
role_class: MyAppDB::Roles
role_field: title
role_relation: user_roles
user_role_user_field: user_id
but the $userinfo hash I passed to the authenticate() method looked
like this
my $userinfo = { username = $login, password = $password}
Thus, Catalyst logged in the first user in the MyAppDB::Users table if I
provided the correct password regardless of what I supplied as a login
(ok, the latter is obvious).
Does the plugin try to DWIM by using the first user it happens to
stumble upon and using his primary key as the login field? This is what
I suspect because the (test-)user in question happened to have 1 as
his primary key as well as in the 'login'-column.
Maybe this is because of my limited idea of what $userinfo can be, but
wouldn't a warning be suitable in such a case?
It is A Feature. You've messed with parameters, username in userinfo,
login in credential. my $userinfo = { login = $login, password =
$password} will cure.
Alex.
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Hi Alex,
It is A Feature. You've messed with parameters, username in userinfo,
login in credential. my $userinfo = { login = $login, password =
$password} will cure.
Yes, I know. I found this out just as I was beginning to complain on
#catalyst. I just wanted to know if I interpreted the behaviour (the
primary key part) correctly and if my suggestion to issue a warning in
such a case is off-base.
Best regards,
Jochen
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Hi Jochen,
You are nearly there.
The DBIx::Class store interprets the authinfo hash (almost) exactly
like the condition argument to $resultset-search(); The 'almost'
bit is that it will filter out any columns that aren't actually in the
user class.
So - if you provide it with an authinfo hash that has no fields that
match the user class - what you get is:
$resultset-search(undef)-first;
Which will most likely return the first user in your table.
So yes... in the rather unlikely event that the passwords happen to
match, will get you logged in as that user.
Jay
On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote:
Hi Alex,
It is A Feature. You've messed with parameters, username in userinfo,
login in credential. my $userinfo = { login = $login, password =
$password} will cure.
Yes, I know. I found this out just as I was beginning to complain on
#catalyst. I just wanted to know if I interpreted the behaviour (the
primary key part) correctly and if my suggestion to issue a warning in
such a case is off-base.
Best regards,
Jochen
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
---
Those who can make you believe absurdities can make you commit
atrocities. --Voltaire
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Upon consideration - I've decided to throw an exception if you try to
always going to be an error and better to fail loudly than silently
pass auth, even if it is unlikely that the passwords will match.
I'll put this in the next release.
You can still accomplish an empty search if you really want to by
using the searchargs parameter...
Jay
On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote:
Hi Alex,
It is A Feature. You've messed with parameters, username in userinfo,
login in credential. my $userinfo = { login = $login, password =
$password} will cure.
Yes, I know. I found this out just as I was beginning to complain on
#catalyst. I just wanted to know if I interpreted the behaviour (the
primary key part) correctly and if my suggestion to issue a warning in
such a case is off-base.
Best regards,
Jochen
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
---
America will never be destroyed from the outside. If we falter and
lose our freedoms, it will be because we destroyed ourselves. --
Abraham Lincoln
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Upon consideration - I've decided to throw an exception if you try to
always going to be an error and better to fail loudly than silently
pass auth, even if it is unlikely that the passwords will match.
I'll put this in the next release.
You can still accomplish an empty search if you really want to by
using the searchargs parameter...
Jay
On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote:
Hi Alex,
It is A Feature. You've messed with parameters, username in userinfo,
login in credential. my $userinfo = { login = $login, password =
$password} will cure.
Yes, I know. I found this out just as I was beginning to complain on
#catalyst. I just wanted to know if I interpreted the behaviour (the
primary key part) correctly and if my suggestion to issue a warning in
such a case is off-base.
Best regards,
Jochen
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
---
America will never be destroyed from the outside. If we falter and
lose our freedoms, it will be because we destroyed ourselves. --
Abraham Lincoln
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Upon consideration - I've decided to throw an exception if you try to
always going to be an error and better to fail loudly than silently
pass auth, even if it is unlikely that the passwords will match.
I'll put this in the next release.
You can still accomplish an empty search if you really want to by
using the searchargs parameter...
Jay
On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote:
Hi Alex,
It is A Feature. You've messed with parameters, username in userinfo,
login in credential. my $userinfo = { login = $login, password =
$password} will cure.
Yes, I know. I found this out just as I was beginning to complain on
#catalyst. I just wanted to know if I interpreted the behaviour (the
primary key part) correctly and if my suggestion to issue a warning in
such a case is off-base.
Best regards,
Jochen
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
---
America will never be destroyed from the outside. If we falter and
lose our freedoms, it will be because we destroyed ourselves. --
Abraham Lincoln
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Upon consideration - I've decided to throw an exception if you try to
always going to be an error and better to fail loudly than silently
pass auth, even if it is unlikely that the passwords will match.
I'll put this in the next release.
You can still accomplish an empty search if you really want to by
using the searchargs parameter...
Jay
On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote:
Hi Alex,
It is A Feature. You've messed with parameters, username in userinfo,
login in credential. my $userinfo = { login = $login, password =
$password} will cure.
Yes, I know. I found this out just as I was beginning to complain on
#catalyst. I just wanted to know if I interpreted the behaviour (the
primary key part) correctly and if my suggestion to issue a warning in
such a case is off-base.
Best regards,
Jochen
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
---
America will never be destroyed from the outside. If we falter and
lose our freedoms, it will be because we destroyed ourselves. --
Abraham Lincoln
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Upon consideration - I've decided to throw an exception if you try to
always going to be an error and better to fail loudly than silently
pass auth, even if it is unlikely that the passwords will match.
I'll put this in the next release.
You can still accomplish an empty search if you really want to by
using the searchargs parameter...
Jay
On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote:
Hi Alex,
It is A Feature. You've messed with parameters, username in userinfo,
login in credential. my $userinfo = { login = $login, password =
$password} will cure.
Yes, I know. I found this out just as I was beginning to complain on
#catalyst. I just wanted to know if I interpreted the behaviour (the
primary key part) correctly and if my suggestion to issue a warning in
such a case is off-base.
Best regards,
Jochen
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
---
America will never be destroyed from the outside. If we falter and
lose our freedoms, it will be because we destroyed ourselves. --
Abraham Lincoln
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Behaviour of Catalyst::Plugin::Authentication
Sorry all. Mail client went crazy.
If you try to call authenticate with no valid fields from the user
class - it will throw an exception - as of the next release.
Jay
On Mar 19, 2008, at 2:44 PM, Jay K wrote:
Upon consideration - I've decided to throw an exception if you try to
always going to be an error and better to fail loudly than silently
pass auth, even if it is unlikely that the passwords will match.
I'll put this in the next release.
You can still accomplish an empty search if you really want to by
using the searchargs parameter...
Jay
On Mar 19, 2008, at 2:08 PM, Jochen Luig wrote:
Hi Alex,
It is A Feature. You've messed with parameters, username in
userinfo,
login in credential. my $userinfo = { login = $login, password =
$password} will cure.
Yes, I know. I found this out just as I was beginning to complain on
#catalyst. I just wanted to know if I interpreted the behaviour (the
primary key part) correctly and if my suggestion to issue a warning
in
such a case is off-base.
Best regards,
Jochen
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
---
America will never be destroyed from the outside. If we falter and
lose our freedoms, it will be because we destroyed ourselves. --
Abraham Lincoln
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
---
For most things, throwing yourself at the wall over and over is a
better way to improve than thinking hard about the wall and taking
pictures of it. -- D.Litwack
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
