On Dec 27, 2012, at 20:52 , Tres Seaver <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > (PAS stuff is OT for the CMF list. Please follow up on [email protected] > or the equivalent Gmane newsgroup). > > On 12/27/2012 01:22 PM, Maurits van Rees wrote: >> Hi, >> >> In Products/PluggableAuthService/plugins/ZODBUserManager.py I would >> like to check the lower case version of the passed login name as >> well: >> >> def authenticateCredentials( self, credentials ): login = >> credentials.get( 'login' ) password = credentials.get( 'password' ) if >> login is None or password is None: return None userid = >> self._login_to_userid.get(login) if userid is None: # HERE STARTS THE >> EXTRA CODE: login = login.lower() userid = >> self._login_to_userid.get(login) if userid: # Update the login in the >> credentials, as they might # be used elsewhere. credentials['login'] = >> login else: return None # HERE ENDS THE EXTRA CODE. reference = >> self._user_passwords.get(userid) if reference is None: return None ... >> # etcetera >> >> >> For example, in the case of Plone, we may be using the email address >> as login name. Some people use a mix of upper and lower case in their >> email address, for example "Maurits at VanRees.Org". When logging in >> fails, they start to wonder whether they have remembered their >> password wrongly or if they have entered their email address in lower >> case or if they have capitalized it differently. The result: a >> support call. >> >> I have seen this happen several times for a customer and have heard >> the same from one other person on the plone core developers list. >> >> It would help if PAS would first check with the exact spelling given >> and if that fails, try the completely lowercase version. Note that >> this should be safe: if this somehow gets a different user id than >> intended, the password should still match that user. >> >> I have used the above code in a patch in the collective.emaillogin >> add-on in Plone 3 for a long time now and have not had complaints >> since. Of course it has more patches that make sure that the login >> name is actually lowercased before adding a new user, but that is >> outside the scope of this mail. >> >> I think the above code would be fine to put in core PAS. It is safe >> as far as I can tell and the extra processing time required when a >> login fails should be small. Is anyone against that? > > I would prefer to have the case insensitivity be a configurable option of > the plugin (in which case it would always lowercase the login when the > user was created or updates, as well as before comparing). A bit more specifically you need to define a canonical spelling of a login name and a way to convert a login name to the canonical version which was applied at every point a login name is passed in via the PAS API. lower() would then be a possible transformation to get such a canonical spelling. It might make sense to do that in PAS so you don't have to duplicate that in all PAS plugins. Wichert. _______________________________________________ Zope-PAS mailing list [email protected] https://mail.zope.org/mailman/listinfo/zope-pas
