[Zope-PAS] dealing with deleted users

Wichert Akkerman wichert at wiggy.net
Sat May 27 15:37:09 EDT 2006


I was investigating a plone bug (http://dev.plone.org/plone/ticket/5355)
and it is caused by PAS behaviour. The problems boils down to logic in
CookieAuthHelper.extractCredentials: if a cookie is present the
credentials are extracted from it and form fields are ignored. This
means that if we have a cookie containing credentials which no longer
authenticate it becomes impossible to login as a different user since
the form data is never seen.

The cleanest solution I can think of is to introduce a new extraction
plugin which extracts credentials from the form data and give that a
lower priority than the CookieAuthHelper plugin. Are there any
objections to doing that?

Wichert.

-- 
Wichert Akkerman <wichert at wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.


More information about the Zope-PAS mailing list