Jeff Watkins wrote: > > Unfortunately, TG_User can't just check for a null provider and store > unencrypted passwords, because those records then won't work if the > provider is expecting encrypted passwords. Additionally, Heikichi > Umahara's patch (Ticket #635) isn't viable because it moves the > encryption functionality out of the provider and thereby prevents > having multiple providers with different encryption schemes (Note: > Ticket #206 would be precluded by this patch). > > On the other hand, because TG_User is a specific component of the > SqlObjectIdentityProvider and isn't intended to be used by any other > provider, it might be possible to couple these more tightly. However, > this still wouldn't be a solution because the provider wouldn't know > what encryption algorithm to use if it can't find the config file. > > These are all reasons why I don't think having the password > automatically encrypted was a good idea. Before automatic encryption, > you had one more step you had to remember if you were using encrypted > passwords and nothing to worry about if you weren't. After automatic > encryption, you now have to erect a large chunk of the TG > infrastructure just to create a new user. >
Jeff, have you seen ticket 624? I think it deals with your objection about not using the identity provider, although you may have other thoughts. Also, what do you think about breaking encrypt_password out as a staticmethod of SqlObjectIdentityProvider? As to the situation where TG_User can't find the appropriate cherrypy config, I don't know how to deal with that. In 624, it punts, stores the password as cleartext, and logs what it did. I don't know how big a problem that is though; if you are just running via tg-admin shell, you would be covered. In situations where you might use TG_User outside of tg-admin shell, it's not going to be automatic, but you can pass the pre-encrypted password to password_raw (just like before) or set the config value manually. Also, in all fairness, you weren't able to easily encrypt passwords via the shell before. You had to set up an identity provider to get the encryption algorithim, or replicate what it was doing on your own. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~----------~----~----~----~------~----~------~--~---
