-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (PAS stuff is OT for the CMF list. Please follow up on [email protected] or the equivalent Gmane newsgroup).
On 12/27/2012 01:22 PM, Maurits van Rees wrote: > Hi, > > In Products/PluggableAuthService/plugins/ZODBUserManager.py I would > like to check the lower case version of the passed login name as > well: > > def authenticateCredentials( self, credentials ): login = > credentials.get( 'login' ) password = credentials.get( 'password' ) if > login is None or password is None: return None userid = > self._login_to_userid.get(login) if userid is None: # HERE STARTS THE > EXTRA CODE: login = login.lower() userid = > self._login_to_userid.get(login) if userid: # Update the login in the > credentials, as they might # be used elsewhere. credentials['login'] = > login else: return None # HERE ENDS THE EXTRA CODE. reference = > self._user_passwords.get(userid) if reference is None: return None ... > # etcetera > > > For example, in the case of Plone, we may be using the email address > as login name. Some people use a mix of upper and lower case in their > email address, for example "Maurits at VanRees.Org". When logging in > fails, they start to wonder whether they have remembered their > password wrongly or if they have entered their email address in lower > case or if they have capitalized it differently. The result: a > support call. > > I have seen this happen several times for a customer and have heard > the same from one other person on the plone core developers list. > > It would help if PAS would first check with the exact spelling given > and if that fails, try the completely lowercase version. Note that > this should be safe: if this somehow gets a different user id than > intended, the password should still match that user. > > I have used the above code in a patch in the collective.emaillogin > add-on in Plone 3 for a long time now and have not had complaints > since. Of course it has more patches that make sure that the login > name is actually lowercased before adding a new user, but that is > outside the scope of this mail. > > I think the above code would be fine to put in core PAS. It is safe > as far as I can tell and the extra processing time required when a > login fails should be small. Is anyone against that? I would prefer to have the case insensitivity be a configurable option of the plugin (in which case it would always lowercase the login when the user was created or updates, as well as before comparing). > By the way, I remember having seen somewhere in PAS or PlonePAS or > somewhere else a while ago a class that had a boolean attribute called > something like '__case_insensitive', which was False by default. > That was intended to do something similar, but it did not work when I > tried using it. This is all very vague and I cannot find it back. > Maybe it was simply removed. But does this ring a bell for anyone? I don't remember such an attribute. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 [email protected] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDcpvcACgkQ+gerLs4ltQ53LwCfeaAllOQ08ETjIIy4FefEWHWF mAYAn2vqKQ3O33WAM1KYWVVmYLW4+6iU =Bi/3 -----END PGP SIGNATURE----- _______________________________________________ Zope-CMF maillist - [email protected] https://mail.zope.org/mailman/listinfo/zope-cmf See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests
