Re: Zope digest, Vol 1 #616 - 60 msgs
From: Organization: Digital Creations To: "Cornelis J. de Brabander" <brabander@fsw.LeidenUniv.nl> CC: zope <zope@zope.org> Subject: Re: [Zope] upgrading to 2.1.3 and acl_users
Cornelius,
I noticed this too the other day.
It's a form problem. It's not a serious issue, just that the form that comes with 2.1.3 (and 2.1.2, and maybe even 2.1.0) for editing users doesn't have the proper DTML to show the old username and password. I'm not even sure that this wasn't a feature.
I will either fix it or put it in the collector soon.
NOOOOOOOO! It was an awful security hole to echo the existing password out the the User edit form -- please don't put it back! Think about it -- on a Unix system, even root can't read another users password, but only reset it. This is the Right Thing (TM) for Zope to do.
"Cornelis J. de Brabander" wrote:
Hi, I have performed an upgrade from 2.0.0 tot 2.1.3. (Windows NT) by copying the data.fs.* to the var directory of the new Zope install. Both services were stopped during copy. All went well, but in all acl_users folders the passwords appear to have disappeared: in the manage screen of acl_users, the password and confirm fields are empty. However, the site functions as it should: where required access is only granted after inputting the original password that belonged to a user in the 2.0.0-version. Does anybody have a clue about what could have happened, respectively whether this is a forerunner of trouble? cb
-- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com
On 07-Feb-2000 Tres Seaver wrote:
It's a form problem. It's not a serious issue, just that the form that comes with 2.1.3 (and 2.1.2, and maybe even 2.1.0) for editing users doesn't have the proper DTML to show the old username and password. I'm not even sure that this wasn't a feature. I will either fix it or put it in the collector soon.
NOOOOOOOO! It was an awful security hole to echo the existing password out the the User edit form -- please don't put it back! Think about it -- on a Unix system, even root can't read another users password, but only reset it. This is the Right Thing (TM) for Zope to do.
No, it's only the Right Thing(TM) to do if there were some way to better manage roles. As far as I can tell, the only way to change a users role is through managing that user, in which case I have to re-enter that users password. Not a good situation.. perhaps the correct fix is to keep it as is (with the "broken" form) and create a new interface to manage roles properly (role membership mgmt) I don't beleive that Zope has that feature, unless I am totally missing something :) -- M. Adam Kendall | mak@kha0s.org | "There's never enough time to do http://kha0s.org | all the nothing you want." | --Bill Watterson (Calvin and Hobbes)
Tres Seaver wrote: Yep, I agree... that's why I said I wasn't sure if it wasn't a feature. But it interferes with the administrator assigning new roles to a user if he doesn't have the user's password which needs to be fixed.
From: Organization: Digital Creations To: "Cornelis J. de Brabander" <brabander@fsw.LeidenUniv.nl> CC: zope <zope@zope.org> Subject: Re: [Zope] upgrading to 2.1.3 and acl_users
Cornelius,
I noticed this too the other day.
It's a form problem. It's not a serious issue, just that the form that comes with 2.1.3 (and 2.1.2, and maybe even 2.1.0) for editing users doesn't have the proper DTML to show the old username and password. I'm not even sure that this wasn't a feature.
I will either fix it or put it in the collector soon.
NOOOOOOOO! It was an awful security hole to echo the existing password out the the User edit form -- please don't put it back! Think about it -- on a Unix system, even root can't read another users password, but only reset it. This is the Right Thing (TM) for Zope to do.
"Cornelis J. de Brabander" wrote:
Hi, I have performed an upgrade from 2.0.0 tot 2.1.3. (Windows NT) by copying the data.fs.* to the var directory of the new Zope install. Both services were stopped during copy. All went well, but in all acl_users folders the passwords appear to have disappeared: in the manage screen of acl_users, the password and confirm fields are empty. However, the site functions as it should: where required access is only granted after inputting the original password that belonged to a user in the 2.0.0-version. Does anybody have a clue about what could have happened, respectively whether this is a forerunner of trouble? cb
-- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com
-- Chris McDonough - Digital Creations, Inc. Publishers of Zope - http://www.zope.org
BTW, I'm not fixing it, it's in the collector... to be fixed. When? Good question. Chris McDonough wrote:
Tres Seaver wrote: Yep, I agree... that's why I said I wasn't sure if it wasn't a feature. But it interferes with the administrator assigning new roles to a user if he doesn't have the user's password which needs to be fixed.
From: Organization: Digital Creations To: "Cornelis J. de Brabander" <brabander@fsw.LeidenUniv.nl> CC: zope <zope@zope.org> Subject: Re: [Zope] upgrading to 2.1.3 and acl_users
Cornelius,
I noticed this too the other day.
It's a form problem. It's not a serious issue, just that the form that comes with 2.1.3 (and 2.1.2, and maybe even 2.1.0) for editing users doesn't have the proper DTML to show the old username and password. I'm not even sure that this wasn't a feature.
I will either fix it or put it in the collector soon.
NOOOOOOOO! It was an awful security hole to echo the existing password out the the User edit form -- please don't put it back! Think about it -- on a Unix system, even root can't read another users password, but only reset it. This is the Right Thing (TM) for Zope to do.
"Cornelis J. de Brabander" wrote:
Hi, I have performed an upgrade from 2.0.0 tot 2.1.3. (Windows NT) by copying the data.fs.* to the var directory of the new Zope install. Both services were stopped during copy. All went well, but in all acl_users folders the passwords appear to have disappeared: in the manage screen of acl_users, the password and confirm fields are empty. However, the site functions as it should: where required access is only granted after inputting the original password that belonged to a user in the 2.0.0-version. Does anybody have a clue about what could have happened, respectively whether this is a forerunner of trouble? cb
-- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com
-- Chris McDonough - Digital Creations, Inc. Publishers of Zope - http://www.zope.org
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Chris McDonough - Digital Creations, Inc. Publishers of Zope - http://www.zope.org
Chris McDonough wrote:
Tres Seaver wrote: Yep, I agree... that's why I said I wasn't sure if it wasn't a feature. But it interferes with the administrator assigning new roles to a user if he doesn't have the user's password which needs to be fixed.
I think the fix is to have a separate form and submission method for password changes; that way, the "manage_editProperties" bit doesn't screw up the password. BTW, my bad for hitting Send before cleaning up the subject line -- sorry! Tres. -- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com
Agreed... now let me see who we can go clone around here... :-) Tres Seaver wrote:
Chris McDonough wrote:
Tres Seaver wrote: Yep, I agree... that's why I said I wasn't sure if it wasn't a feature. But it interferes with the administrator assigning new roles to a user if he doesn't have the user's password which needs to be fixed.
I think the fix is to have a separate form and submission method for password changes; that way, the "manage_editProperties" bit doesn't screw up the password.
BTW, my bad for hitting Send before cleaning up the subject line -- sorry!
Tres. -- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Chris McDonough - Digital Creations, Inc. Publishers of Zope - http://www.zope.org
participants (3)
-
Chris McDonough -
M. Adam Kendall -
Tres Seaver