On Fri, Feb 18, 2011 at 22:19, Martijn Pieters <mj@zopatista.com> wrote:
We should at the very least convert PAS to use zope.password instead of AccessControl.AuthEncoding.
There is a snag. The zope.password API doesn't provide any way to detect what scheme was used for a given hash. Say you have a SSHA hash, it'll start with the string "{SSHA}", while a bcrypt encryption starts with "$2a$". Unfortunately, the zope.password IPasswordManager only provides methods to encode the password and check if a given password is correct. The only consumer of the interface, zope.app.authentication.principalfolder only supports one password manager at a time so never had a need to detect schemes. I'll just go ahead and expand then IPasswordManager interface to provide a match method that returns a boolean if a given hash uses the specific encoding scheme. Presumably this'll be zope.password 4.0.0. What does this mean for the versioning of AccessControl however? Will that'll be a 2.14 release? What version of Zope2 can start using the new AccessControl package with a "zope.password >= 4.0.0" dependency? Zope2 primarily uses the ZTK, so a version pin would be needed there until the new zope.password release makes it into the ZTK. -- Martijn Pieters