Re: [Zope-dev] Basic LoginManager HowTo
Lalo Martins wrote: > > On Sat, Jun 03, 2000 at 12:38:20AM -0500, Phillip J. Eby wrote: > > > > > >I tried. It's quite easy, except that you have to store the > > >user's password in a property, and access control is somewhat > > >broken WRT passwords, so anyone can read anyone's passwords if > > >they can write DTML. > > > > Did you try naming the password attribute with an "_" at the beginning of > > it? This should make it inaccessible from DTML, but it's a bit more work > > since you have to write Python to do it. > > Actually, if I'm willing to go to Python (which I am, just > waiting for 2.2 so I don't have to do it twice) there are > simpler ways to do it, and you (IIRC) have already showed me > some :-) The point is that by his question I thought Bill > wanted a ZODB/ZClass-only solution - and I'd prefer it too if > it was possible at all. I am more than willing to go to python too, and don't mind doing it 2x. I just wanted to know what had to be done, etc. to get to using the LM with the basic US, that way I can a) start using LM and b) get to developing an SQL-US faster. :-) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Basic LoginManager HowTo
On Sat, Jun 03, 2000 at 12:38:20AM -0500, Phillip J. Eby wrote: > > > >I tried. It's quite easy, except that you have to store the > >user's password in a property, and access control is somewhat > >broken WRT passwords, so anyone can read anyone's passwords if > >they can write DTML. > > Did you try naming the password attribute with an "_" at the beginning of > it? This should make it inaccessible from DTML, but it's a bit more work > since you have to write Python to do it. Actually, if I'm willing to go to Python (which I am, just waiting for 2.2 so I don't have to do it twice) there are simpler ways to do it, and you (IIRC) have already showed me some :-) The point is that by his question I thought Bill wanted a ZODB/ZClass-only solution - and I'd prefer it too if it was possible at all. []s, |alo + -- Hack and Roll ( http://www.hackandroll.org ) News for, uh, whatever it is that we are. http://zope.gf.com.br/lalo mailto:[EMAIL PROTECTED] pgp key: http://zope.gf.com.br/lalo/pessoal/pgp Brazil of Darkness (RPG)--- http://zope.gf.com.br/BroDar ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Basic LoginManager HowTo
At 10:45 PM 6/2/00 -0300, Lalo Martins wrote: >On Fri, Jun 02, 2000 at 07:29:18PM -0600, Bill Anderson wrote: >> Has anyone out there actually sarted _using_ LoginManager with ZODB >> storage? IOW, one that is not dependant on LDAP/SQL/etc., but that is >> functioning in place of a non-PTK acl_users folder? > >I tried. It's quite easy, except that you have to store the >user's password in a property, and access control is somewhat >broken WRT passwords, so anyone can read anyone's passwords if >they can write DTML. Did you try naming the password attribute with an "_" at the beginning of it? This should make it inaccessible from DTML, but it's a bit more work since you have to write Python to do it. If I recall correctly, Ty once made up a test version of a PersistentUserSource that worked this way, and the standard Zope user objects use an attribute named "__" for this. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Basic LoginManager HowTo
On Fri, Jun 02, 2000 at 07:29:18PM -0600, Bill Anderson wrote: > Has anyone out there actually sarted _using_ LoginManager with ZODB > storage? IOW, one that is not dependant on LDAP/SQL/etc., but that is > functioning in place of a non-PTK acl_users folder? I tried. It's quite easy, except that you have to store the user's password in a property, and access control is somewhat broken WRT passwords, so anyone can read anyone's passwords if they can write DTML. Now I don't plan to just let anyone write DTML, but I don't want to leave this hole open because I know I will forget it sooner or later and open up an exploit. []s, |alo + -- Hack and Roll ( http://www.hackandroll.org ) News for, uh, whatever it is that we are. http://zope.gf.com.br/lalo mailto:[EMAIL PROTECTED] pgp key: http://zope.gf.com.br/lalo/pessoal/pgp Brazil of Darkness (RPG)--- http://zope.gf.com.br/BroDar ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Basic LoginManager HowTo
Has anyone out there actually sarted _using_ LoginManager with ZODB storage? IOW, one that is not dependant on LDAP/SQL/etc., but that is functioning in place of a non-PTK acl_users folder? I am starting to play with it (so many toys, so little time...), and would like to see (if it exists) a basic walkthrough of how to go from: Folder with no userfolder, LM installed -to- Folder with LM-acl_users folder, and ZODB member storage. So, what about it? Anyone got one, or at least could write down the steps/requirements? Much Appreciated, Bill ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
