[Zope] LoginManager HOWTO?

Lalo Martins lalo@hackandroll.org
Fri, 28 Apr 2000 18:22:23 -0300 

On Wed, Apr 26, 2000 at 09:55:05AM +1000, Stuart 'Zen' Bishop wrote:
> On Wed, 19 Apr 2000, Lalo Martins wrote:
> 
> > The reasons I don't use GUF are, (1) it doesn't by default
> > acquire users, and (2) it's (in the author's words) "trivial to
> > grab people's passwords".
> 
> 1) It does now  (new architecture in 1.2.0 fixed this)

I realized that as I tried. I was very pleased with it. :-)
Kudos to the developers.

> 2) Only if you give people rights to create GUF instances. Its about
>    the same as giving people ability to create arbitrary DTML methods
>    (ie. someone creates a fake login form and you would be surprised how
>    many of your users would enter their username/password without
>    thinking).

But the point of the sites I maintain is community
participation. I absolutely _need_ to let people create
arbitrary DTML in their own folders. And what if/when I want to
provide Zope hosting? Should I run a separate Zope instance for
each customer? Nah.

Yes, you can write a page asking for a login and hope people
are fooled. You can also write a banner ad with a moving guy
and say "win (whatever) if you hit the guy". Too bad. Ethics
can't be forced.

But GUF is worse because you can provide a _real_ login dialog,
and _really_ log the user in, so that s/he won't notice
something went wrong at all, but as part of the login process
store his/her password somewhere. That's bad.

It is possible with Generic User Source, yes, but that's not as
bad as it sounds, because GUS was written as an example, mostly
as a clone of GUF. I think over time people will start coming
up with safer User Sources, and then I can just uninstall the
ill-behaved ones.

Actually I'm very pleased with LoginManager; I would have it in
production already, if it weren't for the whole
permissions-for-properties problem (which keeps my naive "OFS
User Source" implementation from being really usable).

[]s,
                                               |alo
                                               +----
--
          Hack and Roll  ( http://www.hackandroll.org )
            News for, uh, whatever it is that we are.


http://www.webcom.com/lalo           mailto:lalo@hackandroll.org
                 pgp key in the personal page

Brazil of Darkness (RPG)    ---     http://zope.gf.com.br/BroDar