** Version 1.0.4
- change in the MySQLdb API: insert_id () replaced with lastrowid.
- Cookie support for GRUF with Plone.
- In m_USerInfo.dtml, url_quote is added for usernames in link hrefs.
** Version 1.0.3
- "import" fix in db.py. On some installations this produced import error.
** Version 1.0.2
- Fix in _doDelUsers () used by GRUF (Thanks to Kai)
** Version 1.0.1
- __check_connection () was missing in authenticate (). (Thanks to
- v_userdb.change_user_roles () now filters out system roles, so
it doesn't write them into the database - there was a problem with
Plone calling _doChangeUser (). (Thanks to Matthias Kleinschmidt).
** Version 1.0.0
- Don't connect () on __setstate__ (), but on the first request. This
fixes some performase issues when there are lot of thread creations.
** Version 0.9.2
- There is a new cfg option AUTO_CREATE_ROLES. It will create all roles
from user.change_user_roles () that don't exist.
** Version 0.9.2-pre2
- fixed typo in manage_create_users ()
- authenticate () works if GRUF passes None as username or password.
** Version 0.9.2-pre1
- renamed authenticate () to authenticate_main (), and same for
authorize () to avoid confusion with corresponding functions of the
basic user folder. Implemented authenticate () interface function.
- _getPassword () implemented for the user object, this is needed for GRUF.
- don't raise an error if adding roles to the parent folder fails in
mysqlUserFolder creation and role creation.
- _doAdd/Delete/Change functions are implemented.
- Now it is possible to create/change user without any roles -
manage_users_create () and manage_users_change_roles () are fixed
(thanks to Alex).
- It is also possible to leave anon_create_role empty, so new users created
with user_create are without roles (thanks to Reale Fabrizio).
- If MySQLDB returns SERVER_GONE or SERVER_LOST, __do_query () will
automaticaly reconnect and reexecute the query without raising an
- pwe_md5_crypt () looks a bit nicer now. (thanks to Lance Pillay).
- getClinetAddress () method of Zope 2.7 is now supported. Variable
REQUEST_RADDR_FIELD is ignored on Zope >= 2.7.
- validate_domain_spec () changed to work properly with Zope 2.7,
REQUEST_RHOST_FIELD removed from cfg.py. Domain spec validation is now
done by zope function. This means that REQUEST_RADDR_FIELD is always
ignored for this purpose.
- implemented hasUsers () method.
** Version 0.9.1
- docLogin method now receives parameter exception_raised if it is raised
as an exception. This is needed because in this case, method is
displayed inside standard_error_message method (so HTML headers should
not be included).
- If exception is raised during query, connection is marked (new DB API
function is added: has_errors ()). Main code checks this flag, and
reconnects in case of errors.
- MD5 digest support (thanks to Filippo Natali). Password field in the
database now has to have length 32.
- Ignore error if crypt is not avaiable (it is UNIX specific).
- manage_contents is renamed to manage_main. Add/Delete/Copy/... buttons
expect this name.
- Code will now work even if domains specification is None (although it
shouldn't be - field is NOT NULL).
** Version 0.9.0
- Domain specification for users now works.
- user_* functions are now protected by permissions. There is "Advanced"
management tab where it is possible to easily setup proxy roles for
- System now supports crypt () passwords. Also, there is a special
INVALID_PASSWORD_TYPE which denies authentication.
- It is now possible not to put expires attribute for cookies so they
will not be stored when browser exits.
- Some cfg parameters are now stored in the folder object:
life, timeout and persistence for session and user cookies,
- Management screen improvements: management screens rearranged;
fixed warning "manage_main != manage_contents"; after UserEdit submit
user is return to the user edit screen.
- Property dtml_user_dir is now visible only during creation, since it
is not used after.
- __connect () errors are silently dropped in __setstate__ ().
Interface functions will __connect () if there is a need. Errors are
handled gracefully where possible in manage functions. New interface
functions is_connected () is created.
- validate () will work without DB connection if VALIDATE_ALWAYS_SUPER is
set. Some management screens will work without DB connection - now it
is possible to change DB parameters when there is no connection.
- getUserNames () now can filter results based on optional role.
- Fixed missing "return" when VALIDATE_ONLY_ANONYMOUS is set.
- DTMLFile is used instead of HTMLFile for management screens. Management
DTML methods now use Zope's manage_page_header/footer.
- manage_addMySQLRoles now calls _addRoles ().
- Module random is used now instead of whrandom
** Version 0.6.4
- Function get_path_from_request () now users REQUEST ['URL'] to
construct request url. (thanks to Stephen Snyder).
- If tokens have invalid value, they are deleted from the cache.
Previously, it was done only for expired tokens.
- Debug logging improvements.
** Version 0.6.3
- mysqlUserFolder is now forcing basic authentication on certain ports even
if cookies are used (so FTP can be used).
- authorize () calls BasicUserFolder.authorize () now.
- URL Query string is also passed in login_goto if exception is raised
during processing. This means that user will go to the target page
including parameters after login.
- Management screen supports changing roles (thanks to Remi Houdaille).
- Multiple roles support when creating users (thanks to Remi Houdaille).
- Other small improvements in management screens.
- db.py: Tables are unlocked when exception is raised.
- Size of the username and email fields is increased to 60 in sql
creation script. Management dtml methods support now getting field
sizes from cfg.py
- New parameter mysql unix socket added.
- CACHE_USER_LIFE decreased to 60 in cfg.py
** Version 0.6.2
- If roles argument passed in validate is None, assume Anonymous.
- Users now have role "AUTHENTICATED".
- Two levels of debug messages.
** Version 0.6.1
- Cookie path and domain are now configurable.
- Security options VALIDATE_IGNORE_ROLES and VALIDATE_ONLY_ANONYMOUS.
- QUERY_STRING is also logged.
- Changed  -> () in "unlock tables" call. No more problems with
MySQLdb 0.9.0 (thanks to Albert Ting ).
- Cleared references to manage_cache. Also deleted reconnect option
from management screen.
- Deleting users from the management screen works again.
** Version 0.6.0
- User, session and token caching.
- Fixed cookie expiration time string when locale is used. Private
function is used instead of strftime ().
- Tokens database now has field Realm. This prevents using a same session
for different realms.
- Added minimal expiry time for cookies.
- UserDb.refresh_user () now returns status.
** Version 0.5.3
- mysqlUserFolder now works with MySQLdb 0.3.2 (int -> long change). Also
there should be no more problems with non English characters.
mysqlUserFolder now uses MySQLdb query parameters.
- User dtmls now set no-cache headers.
- Logging table is changed: remote address in now logged. Also, failed
cookie logging attempts are logged.
This isn't final logging system, there will be more changes.
- user_login (): login_goto_path is passed to docLogin in case of failed
** Version 0.5.3d1
- Cookie names can use realm, so users can be authenticated by multiple
folders using different realms.
** Version 0.5.2
- Session logging. Also, new table Log. This is still experimental,
meta_type and size doesn't work for some objects. Table is going to
be changed in future releases.
- SECURITY: Fix for db.del_user (), user sessions and tokens are now
deleted, when user is deleted. Please see MySQL database section in
- Fix for INSTANCE_HOME installations.
- Fixed error in __get_session_user (): Changing realm can lead to an
error if there are old sessions.
- Typing error in __setup_session () fixed.
- Management interface improvements, thanks to
- Documentation updates.
** Version 0.5.1
- Compliance of User and Session classes with Zope security system
- Changes in the TokenDb API: General (not just cookie) token support.
- getUser () was not returning completely initialized user object.
- Cookies: expire them before setting.
- Session authentication method now checks realm.
- SECURITY: Bugs fixed in session handling code: there was possibility
that user was authenticated with UF using different realm.
- Typing error in use_login (): Session was not terminated when
authenticated user logs as another user.
- validate (): Now, Anonymous is not authenticated when http auth is
used. In this case, Zope's root user folder should do the
- getUser () now returns user object that is not wrapped. Don't know why
zope wants it in this way, but otherwise there are problems.
- User's miscdata were not deleted when user was deleted.
- Session and user timeouts are changed.
- DTML properties screen was not showing correct database name.
** Version 0.5.0
- Complete redesign: session support, Zope 2.2, editable user dtmls.
- Authentication process is changed.
- MySQL tables are changed (tables Users and Roles are not changed).
- MiscData get function now returns default values for keys that don't