Re: [Repoze-dev] repoze.what-pylons question

2009-09-16 Thread Douglas Mayle
way.py#l44 But what's more likely causing the problem is using the protect_action instead of ControllerProtector, like in: https://source.openplans.org/hg/communityalmanac/file/d5eaab92ec5c/communityalmanac/controllers/admin.py #l20 Douglas Mayle On Sep 16, 2009, at 9:14 AM, Iain Duncan wro

Re: [Repoze-dev] Is it possible to integrate repoze.plone and Pylons in one WSGI application?

2009-06-18 Thread Douglas Mayle
It depends on how basic your CMS needs are. The Pylons Book contains a simple CMS called SimpleSite that you could probably integrate, if your needs were light. http://pypi.python.org/pypi/SimpleSite/0.3.0 http://pylonsbook.com/en/1.0/starting-the-simplesite-tutorial.html http://pylonsbook

[Repoze-dev] Identifier plugins...

2009-06-17 Thread Douglas Mayle
wanted to make sure that: 1) This wasn't a known problem, or 2) there isn't already some other identifier plugin that satisfies my needs.. (The other possibility is just a stricter predicate, is_valid_user, I suppose, but then I'm still trusting the client to tell me who'

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

2009-05-29 Thread Douglas Mayle
Douglas Mayle added the comment: Chris, I actually wrote a mock (using import hooks) that would allow me to simulate not being able to import a module, even if it's really available. This should allow us to get a higher coverage. Unfortunately, without bcrypt installed, we couldn'

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

2009-05-29 Thread Douglas Mayle
Douglas Mayle added the comment: Any comments for me? Anything I need to do to get this accepted? I think it's pretty thorough, but I'm open to any criticism... __ Repoze Bugs <http://bugs.repoz

Re: [Repoze-dev] Combining registration with login...

2009-05-22 Thread Douglas Mayle
oes logout. I just finished writing >> user registration, and was wondering if there was a way that I could >> automatically log the user in on successful signup? I'm currently >> using the redirectingform plugin and the sql authenticator. Will I >> have to write

[Repoze-dev] Combining registration with login...

2009-05-22 Thread Douglas Mayle
gnup? I'm currently using the redirectingform plugin and the sql authenticator. Will I have to write my own custom plugin, or is there something I can do out of the box? Thanks, Douglas Mayle ___ Repoze-dev mailing list Repoze-dev@lists.

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

2009-05-20 Thread Douglas Mayle
Douglas Mayle added the comment: Hopefully, the last of the unit tests that don't work properly in Python 2.4 __ Repoze Bugs <http://bugs.repoze.org/issue85> __ repozewho_salted_hashes_with_bcrypt.diff Description:

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

2009-05-20 Thread Douglas Mayle
Douglas Mayle added the comment: Whoops, bad unittest passed through because I was testing in Python 2.5 __ Repoze Bugs <http://bugs.repoze.org/issue85> __ repozewho_salted_hashes_with_bcrypt.diff Description: Binar

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

2009-05-20 Thread Douglas Mayle
Douglas Mayle added the comment: New version of the patch which also supports blowfish hashes when bcrypt is installed, and uses pycrypto on python < 2.5 for sha256 support. This patch superseded the previous two patches. __ Repoze Bugs <http://bugs.repo

[Repoze-dev] [issue82] Add HashFormPlugin - JavaScript hashing

2009-05-20 Thread Douglas Mayle
Douglas Mayle added the comment: I've commented on this patch on the mailing list, but wanted to make sure my concerns were recorded here: * `if cleartext_password.startswith('{SHA}'):` The hashing system is entirely optional at the client level, so you don't provide

Re: [Repoze-dev] SQLAuthenticator Plugin...

2009-05-20 Thread Douglas Mayle
s to compute the password from the HMAC, the passwords are still stored as standard hashed passwords, and that means that a db leak leaves all of your accounts compromised. With salted hashes, that is not true... Douglas Mayle On May 20, 2009, at 12:07 AM, Paul Johnston wrote: > Hi, >

Re: [Repoze-dev] SQLAuthenticator Plugin...

2009-05-19 Thread Douglas Mayle
Okay, done... I recommend the base64 version, as it's backwards compatible and standards compliant... Doug On May 19, 2009, at 4:36 PM, Douglas Mayle wrote: > So, I've finished it off and submitted the patch to issue 85: > http://bugs.repoze.org/issue85 > > In absence

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

2009-05-19 Thread Douglas Mayle
Douglas Mayle added the comment: Adding a version of the patch that uses base64 encoding, to be more standards compliant. The default comparator supports reading the older hex based encoding as well... -- status: unread -> chatting __ Repoze B

Re: [Repoze-dev] SQLAuthenticator Plugin...

2009-05-19 Thread Douglas Mayle
een them... Douglas Mayle On May 19, 2009, at 3:03 PM, Douglas Mayle wrote: > On further inspection, it uses a hex form of the digest. Is there any > preference between that and RFC 2307 schemes, which use base64 for > encoding? > > Doug > > On May 19, 2009, at 1:57 PM, Doug

[Repoze-dev] [issue85] Repoze.who should support salted hashes for the sqlauthenticator

2009-05-19 Thread Douglas Mayle
New submission from Douglas Mayle : The SQL Authenticator uses unsalted hashes by default which are susceptible to attacks like Rainbow tables. I'm including a patch to add support, with tests. In addition, it's useful to have a default implementation of the hash function, so I

Re: [Repoze-dev] SQLAuthenticator Plugin...

2009-05-19 Thread Douglas Mayle
On further inspection, it uses a hex form of the digest. Is there any preference between that and RFC 2307 schemes, which use base64 for encoding? Doug On May 19, 2009, at 1:57 PM, Douglas Mayle wrote: > Hello all, > I've noticed that the default_password_compare in

[Repoze-dev] SQLAuthenticator Plugin...

2009-05-19 Thread Douglas Mayle
that into their model and have the two work in conjunction. Before I did it, however, I wanted to make sure that there wasn't something I was missing... Thanks, Douglas Mayle ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.

[Repoze-dev] [issue71] repoze.who has problems with generator wsgi applications.

2009-04-23 Thread Douglas Mayle
Douglas Mayle added the comment: As repoze.who fails to handle the WSGI spec, and I'm supplying a working patch, I'm bumping up the priority... -- priority: bug -> critical __ Repoze Bugs <http://bugs.re

[Repoze-dev] [issue71] repoze.who has problems with generator wsgi applications.

2009-04-23 Thread Douglas Mayle
Douglas Mayle added the comment: This is a bug in repoze.who because of this paragraph in PEP 333: (Note: the application must invoke the start_response() callable before the iterable yields its first body string, so that the server can send the headers before any body content. However, this

[Repoze-dev] [issue71] repoze.who has problems with generator wsgi applications.

2009-04-18 Thread Douglas Mayle
Douglas Mayle added the comment: The only way I can think to fix this is to create a new generator that wraps the previous one. It calls the wrapped generator once, caches that, and then yields that and any further responses. This allows the original generator to behave the way it did before

[Repoze-dev] [issue71] repoze.who has problems with generator wsgi applications.

2009-04-18 Thread Douglas Mayle
New submission from Douglas Mayle : If a WSGI application returns a generator expression, then default_challenge_decider in classifiers.py tries to call status.startswith, which blows up because status has not yet been decided (since the generator hasn't been called yet) -- mes