Correction. The identifier is there. The problem is that web2py only uses the janrain identifier as an identifier if auth.define_tables(username=True) else it uses email. AOL login does not passes the email along.
We could modify tools.py so that to always add a registration_id field to the table even if auth.define_tables(username=False). This solves the problem above but it will force a migration of your auth_user table and your app will no longer recognize users who have previously logged in. Suggestions? For now if you use janrain or other third party federated ID, make sure auth.define_tables(username=True) Massimo On Oct 8, 11:55 pm, Massimo Di Pierro <[email protected]> wrote: > A major vulnerability has been discovered. > > When a user logs in with Janrain using AOL, Janrain reports an > identifier=None instead of a valid unique id for the user as it > normally does. Therefore is two different people login in a web2py > application using different AOL accounts, Janrain reports them as the > same person. > > I have just pushed a partial fix to trunk that prevents login when the > Janrain identifier is set to None. that means you cannot login in > web2py with AOL. > > According to the Janrain online docs, the identifier should be unique > for every user but it does not appear to be the case for AOL users. > > Even if you do not wish to upgrade, copy gluon/contrib/login_methods/ > rpx_account.py from trunk into your version. > > Massimo
