I think a found a bug in ZODBUserManager.py in the updateUserPassword

To reproduce:
Add users via ZMI (id | login)
user1 | login1
user2 | login2

Everything works fine.
Now edit the second user (by clicking on "password" in the
ZODBUserManager ZMI)
And choose "login1" without quotes for the login name, retype your

You now see two users in your ZODBUserManager, but only the second one
will work.
The first user is somehow "overwritten", you cant delete him, or even
use him for authentification.

I browsed the source (om not so good at that so please forgive if I went
the wrong way ;) )
And found the corresponding method "updateUserPassword"

I think somewhere in this method the duplicate login check is missing,
like in the method "addUser"

if self._login_to_userid.get( login_name ) is not None:
            raise KeyError, 'Duplicate login name: %s' % login_name

Maybe anyone knows how to fix this :) I do not.

Zope-PAS mailing list

Reply via email to