[Zope-CMF] PAS: authenticateCredentials: check lowercase too?

Maurits van Rees m.van.rees at zestsoftware.nl
Thu Dec 27 18:22:36 UTC 2012 

Hi,

In Products/PluggableAuthService/plugins/ZODBUserManager.py I would like 
to check the lower case version of the passed login name as well:

     def authenticateCredentials( self, credentials ):
         login = credentials.get( 'login' )
         password = credentials.get( 'password' )
         if login is None or password is None:
             return None
         userid = self._login_to_userid.get(login)
         if userid is None:
             # HERE STARTS THE EXTRA CODE:
             login = login.lower()
             userid = self._login_to_userid.get(login)
             if userid:
                 # Update the login in the credentials, as they might
                 # be used elsewhere.
                 credentials['login'] = login
             else:
                 return None
             # HERE ENDS THE EXTRA CODE.
         reference = self._user_passwords.get(userid)
         if reference is None:
             return None
         ...  # etcetera


For example, in the case of Plone, we may be using the email address as 
login name.  Some people use a mix of upper and lower case in their 
email address, for example "Maurits at VanRees.Org".  When logging in 
fails, they start to wonder whether they have remembered their password 
wrongly or if they have entered their email address in lower case or if 
they have capitalized it differently.  The result: a support call.

I have seen this happen several times for a customer and have heard the 
same from one other person on the plone core developers list.

It would help if PAS would first check with the exact spelling given and 
if that fails, try the completely lowercase version.  Note that this 
should be safe: if this somehow gets a different user id than intended, 
the password should still match that user.

I have used the above code in a patch in the collective.emaillogin 
add-on in Plone 3 for a long time now and have not had complaints since. 
  Of course it has more patches that make sure that the login name is 
actually lowercased before adding a new user, but that is outside the 
scope of this mail.

I think the above code would be fine to put in core PAS.  It is safe as 
far as I can tell and the extra processing time required when a login 
fails should be small.  Is anyone against that?


By the way, I remember having seen somewhere in PAS or PlonePAS or 
somewhere else a while ago a class that had a boolean attribute called 
something like '__case_insensitive', which was False by default.  That 
was intended to do something similar, but it did not work when I tried 
using it.  This is all very vague and I cannot find it back.  Maybe it 
was simply removed.  But does this ring a bell for anyone?

Thanks,


-- 
Maurits van Rees: http://maurits.vanrees.org/
Zest Software: http://zestsoftware.nl

More information about the Zope-CMF mailing list