On Wed, Apr 26, 2000 at 09:55:05AM +1000, Stuart 'Zen' Bishop wrote:
On Wed, 19 Apr 2000, Lalo Martins wrote:
The reasons I don't use GUF are, (1) it doesn't by default acquire users, and (2) it's (in the author's words) "trivial to grab people's passwords".
1) It does now (new architecture in 1.2.0 fixed this)
I realized that as I tried. I was very pleased with it. :-) Kudos to the developers.
2) Only if you give people rights to create GUF instances. Its about the same as giving people ability to create arbitrary DTML methods (ie. someone creates a fake login form and you would be surprised how many of your users would enter their username/password without thinking).
But the point of the sites I maintain is community participation. I absolutely _need_ to let people create arbitrary DTML in their own folders. And what if/when I want to provide Zope hosting? Should I run a separate Zope instance for each customer? Nah. Yes, you can write a page asking for a login and hope people are fooled. You can also write a banner ad with a moving guy and say "win (whatever) if you hit the guy". Too bad. Ethics can't be forced. But GUF is worse because you can provide a _real_ login dialog, and _really_ log the user in, so that s/he won't notice something went wrong at all, but as part of the login process store his/her password somewhere. That's bad. It is possible with Generic User Source, yes, but that's not as bad as it sounds, because GUS was written as an example, mostly as a clone of GUF. I think over time people will start coming up with safer User Sources, and then I can just uninstall the ill-behaved ones. Actually I'm very pleased with LoginManager; I would have it in production already, if it weren't for the whole permissions-for-properties problem (which keeps my naive "OFS User Source" implementation from being really usable). []s, |alo +---- -- Hack and Roll ( http://www.hackandroll.org ) News for, uh, whatever it is that we are. http://www.webcom.com/lalo mailto:lalo@hackandroll.org pgp key in the personal page Brazil of Darkness (RPG) --- http://zope.gf.com.br/BroDar