[Zope-PAS] dealing with deleted users

Wichert Akkerman wichert at wiggy.net
Sat May 27 17:40:49 EDT 2006


Ok, I'll change PAS to behave like CookieCrumbler on trunk.

Wichert.


Previously Chris McDonough wrote:
> I imagine it's an accident of implementation.
> 
> On May 27, 2006, at 5:22 PM, Jens Vagelpohl wrote:
> 
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >
> >On 27 May 2006, at 20:37, Wichert Akkerman wrote:
> >
> >>I was investigating a plone bug (http://dev.plone.org/plone/ticket/ 
> >>5355)
> >>and it is caused by PAS behaviour. The problems boils down to  
> >>logic in
> >>CookieAuthHelper.extractCredentials: if a cookie is present the
> >>credentials are extracted from it and form fields are ignored. This
> >>means that if we have a cookie containing credentials which no longer
> >>authenticate it becomes impossible to login as a different user since
> >>the form data is never seen.
> >
> >Looking at the equivalent in the CookieCrumbler code (method  
> >modifyRequest) it seems the cookie crumber does it the other way  
> >around and will look for form data before looking for the cookie.  
> >I'd be interested to find out the rationale for weighting cookie  
> >information higher than form data. Does anyone remember?
> >
> >jens
> >
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.4.1 (Darwin)
> >
> >iD8DBQFEeMMtRAx5nvEhZLIRAk2jAKC10jUqyQphNPvjehDWmP9bXmhDvACgjvwZ
> >vGn0MPGP/Ueu77mQOj+c2C4=
> >=k3jP
> >-----END PGP SIGNATURE-----
> >_______________________________________________
> >Zope-PAS mailing list
> >Zope-PAS at zope.org
> >http://mail.zope.org/mailman/listinfo/zope-pas
> >
> 
> _______________________________________________
> Zope-PAS mailing list
> Zope-PAS at zope.org
> http://mail.zope.org/mailman/listinfo/zope-pas

-- 
Wichert Akkerman <wichert at wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.


More information about the Zope-PAS mailing list