#2438: Authentication of non-ascii user names does not work in TG 2.x
------------------------+---------------------------------------------------
Reporter: chrisz | Owner:
Type: defect | Status: new
Priority: high | Milestone: 2.1
Component: TurboGears | Version: trunk
Severity: normal | Keywords: repoze.who identity
------------------------+---------------------------------------------------
This actually seems to be a problem of the repoze.who stack, but it
affects TurboGears 2.x and we should push for a fix.
The problem is that repoze.who keeps the login as an encoded byte string
(usually utf-8), while the default TurboGears user model class stores the
user name as unicode.
This results in deprecation warnings from SQLAlchemy for ascii user names
and failures for non-ascii user names.
There is a replacement for repoze.who.plugins.sa called
[http://aabloog.appspot.com/projects/repoze.who.plugins.sqlalchemy/
repoze.who.plugins.sqlalchemy] which converts the input to unicode before
accessing the database, but I'm not sure that this will fix the issue,
since the conversion is done with a simple `unicode()` call without
specifying any encoding. This would still fail for any non-ascii input. We
shouldn't assume any default input encoding, since both utf-8 and latin-1
are pretty popular.
So I think the conversion to unicode should happen at an earlier stage
where the input encoding is known, e.g. in repoze.who.friendlyforms, by
replacing the following lines using paste.request in friendlyforms.py
{{{
query = parse_dict_querystring(environ)
...
form = parse_formvars(environ)
form.update(query)
}}}
with the following lines using !WebOb
{{{
req = webob.Request(environ)
if not req.charset:
req.charset = 'utf-8'
query = req.GET()
...
form = req.POST()
}}}
I also think that it is better to get a unicode value for the environment
key repoze.who.identity instead of an encoded byte string, because the
application might want to use that value itself for some purposes, and
unicode strings are better to compare and handle.
I've already asked for opinions on the repoze-dev mailing list, but so far
no response.
--
Ticket URL: <http://trac.turbogears.org/ticket/2438>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
--
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
