[Zope] Re: Zope digest, Vol 1 #616 - 60 msgs
M. Adam Kendall
mak@kha0s.org
Mon, 07 Feb 2000 18:13:19 -0500 (EST)
On 07-Feb-2000 Tres Seaver wrote:
>> It's a form problem. It's not a serious issue, just that the form that
>> comes with 2.1.3 (and 2.1.2, and maybe even 2.1.0) for editing users
>> doesn't have the proper DTML to show the old username and password. I'm
>> not even sure that this wasn't a feature.
>> I will either fix it or put it in the collector soon.
>
> NOOOOOOOO! It was an awful security hole to echo the existing password out
> the
> the User edit form -- please don't put it back! Think about it -- on a Unix
> system, even root can't read another users password, but only reset it. This
> is
> the Right Thing (TM) for Zope to do.
No, it's only the Right Thing(TM) to do if there were some way to better manage
roles. As far as I can tell, the only way to change a users role is through
managing that user, in which case I have to re-enter that users password. Not a
good situation.. perhaps the correct fix is to keep it as is (with the "broken"
form) and create a new interface to manage roles properly (role membership mgmt)
I don't beleive that Zope has that feature, unless I am totally missing
something :)
--
M. Adam Kendall |
mak@kha0s.org | "There's never enough time to do
http://kha0s.org | all the nothing you want."
| --Bill Watterson (Calvin and Hobbes)