[Zope-PAS] dealing with deleted users
Wichert Akkerman
wichert at wiggy.net
Sat May 27 15:37:09 EDT 2006
I was investigating a plone bug (http://dev.plone.org/plone/ticket/5355)
and it is caused by PAS behaviour. The problems boils down to logic in
CookieAuthHelper.extractCredentials: if a cookie is present the
credentials are extracted from it and form fields are ignored. This
means that if we have a cookie containing credentials which no longer
authenticate it becomes impossible to login as a different user since
the form data is never seen.
The cleanest solution I can think of is to introduce a new extraction
plugin which extracts credentials from the form data and give that a
lower priority than the CookieAuthHelper plugin. Are there any
objections to doing that?
Wichert.
--
Wichert Akkerman <wichert at wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
More information about the Zope-PAS
mailing list