[Zope] Securing acl_users change password forms
Adam Manock
abmanock@earthlink.net
Sun, 27 Jan 2002 11:46:22 -0500
Problem:
Allowing users who have no rights to the Zope management interface to
change their own passwords using an dtml method that collects at least the
following from the user:
Old Password
New Password
Confirm New Password
Creating a form to do this is easy if you're using XUF and you are storing
account info in
a Postgres database for example (See pgAuthSource / pgAuthSourceAlt of
exUserFolder)
When using stock acl_users I found it got a little ugly. I thought the
below would work for checking that the user changing the password actually
knew the old password and was not just someone walking up to someone else's
computer at lunchtime:
<dtml-if "_.SecurityGetUser().authenticate(REQUEST.form['oldPassword'],
REQUEST)">
But last time I looked it didn't work without making a change to Zope's
AccessControl/User.py.
Changing this:
def __allow_access_to_unprotected_subobjects__(self, name, value=None):
deny_names=('name', '__', 'roles', 'domains', '_getPassword',
'authenticate', '_shared_roles')
if name in deny_names:
return 0
return 1
To this:
def __allow_access_to_unprotected_subobjects__(self, name, value=None):
deny_names=('name', '__', 'roles', 'domains', '_getPassword',
'_shared_roles')
if name in deny_names:
return 0
return 1
Of course doing that potentially opens up a whole new can of worms...
Am I missing something? Is there a way to do a change password form for
users defined in acl_users that checks the old password first without also
hacking User.py?
Adam