[Zope-PAS] dealing with deleted users

Jens Vagelpohl jens at dataflake.org
Sat May 27 17:22:53 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 27 May 2006, at 20:37, Wichert Akkerman wrote:

> I was investigating a plone bug (http://dev.plone.org/plone/ticket/ 
> 5355)
> and it is caused by PAS behaviour. The problems boils down to logic in
> CookieAuthHelper.extractCredentials: if a cookie is present the
> credentials are extracted from it and form fields are ignored. This
> means that if we have a cookie containing credentials which no longer
> authenticate it becomes impossible to login as a different user since
> the form data is never seen.

Looking at the equivalent in the CookieCrumbler code (method  
modifyRequest) it seems the cookie crumber does it the other way  
around and will look for form data before looking for the cookie. I'd  
be interested to find out the rationale for weighting cookie  
information higher than form data. Does anyone remember?

jens


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEeMMtRAx5nvEhZLIRAk2jAKC10jUqyQphNPvjehDWmP9bXmhDvACgjvwZ
vGn0MPGP/Ueu77mQOj+c2C4=
=k3jP
-----END PGP SIGNATURE-----


More information about the Zope-PAS mailing list