[Zope] Re: Zope digest, Vol 1 #616 - 60 msgs

Chris McDonough chrism@digicool.com
Mon, 07 Feb 2000 18:24:27 -0500


Tres Seaver wrote:
Yep, I agree... that's why I said I wasn't sure if it wasn't a feature. 
But  it interferes with the administrator assigning new roles to a user
if he doesn't have the user's password which needs to be fixed.

> 
> > From:
> > Organization: Digital Creations
> > To: "Cornelis J. de Brabander" <brabander@fsw.LeidenUniv.nl>
> > CC: zope <zope@zope.org>
> > Subject: Re: [Zope] upgrading to 2.1.3 and acl_users
> >
> > Cornelius,
> >
> > I noticed this too the other day.
> >
> > It's a form problem.  It's not a serious issue, just that the form that
> > comes with 2.1.3 (and 2.1.2, and maybe even 2.1.0) for editing users
> > doesn't have the proper DTML to show the old username and password.  I'm
> > not even sure that this wasn't a feature.
> >
> > I will either fix it or put it in the collector soon.
> 
> NOOOOOOOO!  It was an awful security hole to echo the existing password out the
> the User edit form -- please don't put it back!  Think about it -- on a Unix
> system, even root can't read another users password, but only reset it.  This is
> the Right Thing (TM) for Zope to do.
> 
> >
> > "Cornelis J. de Brabander" wrote:
> > >
> > > Hi,
> > > I have performed an upgrade from 2.0.0 tot 2.1.3. (Windows NT) by copying
> > > the data.fs.* to the var directory of the new Zope install. Both services
> > > were stopped during copy. All went well, but in all acl_users folders the
> > > passwords appear to have disappeared: in the manage screen of acl_users, the
> > > password and confirm fields are empty. However, the site functions as it
> > > should: where required access is only granted after inputting the original
> > > password that belonged to a user in the 2.0.0-version. Does anybody have a
> > > clue about what could have happened, respectively whether this is a
> > > forerunner of trouble?
> > > cb
> 
> --
> =========================================================
> Tres Seaver         tseaver@palladion.com    713-523-6582
> Palladion Software  http://www.palladion.com

-- 
Chris McDonough - Digital Creations, Inc.
Publishers of Zope - http://www.zope.org