In Products/PluggableAuthService/plugins/ZODBUserManager.py I would like to check the lower case version of the passed login name as well:

    def authenticateCredentials( self, credentials ):
        login = credentials.get( 'login' )
        password = credentials.get( 'password' )
        if login is None or password is None:
            return None
        userid = self._login_to_userid.get(login)
        if userid is None:
            login = login.lower()
            userid = self._login_to_userid.get(login)
            if userid:
                # Update the login in the credentials, as they might
                # be used elsewhere.
                credentials['login'] = login
                return None
        reference = self._user_passwords.get(userid)
        if reference is None:
            return None
        ...  # etcetera

For example, in the case of Plone, we may be using the email address as login name. Some people use a mix of upper and lower case in their email address, for example "Maurits at VanRees.Org". When logging in fails, they start to wonder whether they have remembered their password wrongly or if they have entered their email address in lower case or if they have capitalized it differently. The result: a support call.

I have seen this happen several times for a customer and have heard the same from one other person on the plone core developers list.

It would help if PAS would first check with the exact spelling given and if that fails, try the completely lowercase version. Note that this should be safe: if this somehow gets a different user id than intended, the password should still match that user.

I have used the above code in a patch in the collective.emaillogin add-on in Plone 3 for a long time now and have not had complaints since. Of course it has more patches that make sure that the login name is actually lowercased before adding a new user, but that is outside the scope of this mail.

I think the above code would be fine to put in core PAS. It is safe as far as I can tell and the extra processing time required when a login fails should be small. Is anyone against that?

By the way, I remember having seen somewhere in PAS or PlonePAS or somewhere else a while ago a class that had a boolean attribute called something like '__case_insensitive', which was False by default. That was intended to do something similar, but it did not work when I tried using it. This is all very vague and I cannot find it back. Maybe it was simply removed. But does this ring a bell for anyone?


Maurits van Rees: http://maurits.vanrees.org/
Zest Software: http://zestsoftware.nl

Zope-CMF maillist  -  Zope-CMF@zope.org

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

Reply via email to