You are not logged in Log in Join
You are here: Home » Download Zope Products » PluggableAuthService » PluggableAuthService-1.5 » PluggableAuthService 1.5 released » View NewsItem

Log in
Name

Password

 

PluggableAuthService 1.5 released

Announcing the release of version 1.5 of the PluggableAuthService (PAS) product.

Overview

This product defines a fully-pluggable user folder, intended for use in all Zope sites.

Download

http://www.zope.org/Products/PluggableAuthService/PluggableAuthService-1.5/

Documentation

Please see the files under doc/ in the packaged software for more information, and consult the interfaces files under interfaces/ in the software package for PluggableAuthService and plugin APIs.

More Information

  • Mailing list: http://lists.zope.org/mailman/listinfo/zope-pas/
  • Collector: http://www.zope.org/Collectors/PAS/
  • Subversion repository: http://svn.zope.org/PluggableAuthService/

Changes

Features Added

  • Add support for property plugins returning an IPropertySheet to PropertiedUser. Added addPropertysheet to the IPropertiedUser.
  • Added a method to the IRoleAssignerPlugin to remove roles from a principal, and an implementation for it on the ZODBRoleManager. (http://www.zope.org/Collectors/PAS/57)
  • Added events infrastructure. Enabled new IPrincipalCreatedEvent and ICredentialsUpdatedEvent events.
  • Added support for registering plugin types via ZCML.
  • Implemented authentication caching in _extractUserIds.
  • Ported standard user folder tests from the AccessControl test suite.

Bugs Fixed

  • Passwords with ":" characters would break authentication (http://www.zope.org/Collectors/PAS/51)
  • Corrected documented software dependencies
  • Converted to publishable security sensitive methods to only accept POST requests to prevent XSS attacks. See http://www.zope.org/Products/Zope/Hotfix-2007-03-20/announcement and http://dev.plone.org/plone/ticket/6310
  • Fixed issue in the user search filter where unrecognized keyword arguments were ignored resulting in duplicate search entries. (http://dev.plone.org/plone/ticket/6300)
  • Made sure the Extensions.upgrade script does not commit full transactions but only sets (optimistic) savepoints. Removed bogus Zope 2.7 compatibility in the process. (http://www.zope.org/Collectors/PAS/55)
  • Made the CookieAuthHelper only use the __ac_name field if __ac_password is also present. This fixes a login problem for CMF sites where the login name was remembered between sessions with an __ac_name cookie.
  • Made the DomainAuthHelper return the remote address, even it the remote host is not available (http://www.zope.org/Collectors/PAS/49).
  • Fixed bug in DelegatingMultiPlugin which attempted to validate the supplied password directly against the user password - updated to use AuthEncoding.pw_validate to handle encoding issues
  • Fixed serious security hole in DelegatingMultiPlugin which allowed Authentication if the EmergencyUser login was passed in. Added password validation utilizing AuthEncoding.pw_validate
  • Fixed a set of tests that tested values computed from dictionaries and could break since dictionaries are not guaranteed to have any sort order.
  • Fixed test breakage induced by use of Z3 pagetemplates in Zope 2.10+.
  • BasePlugin: The listInterfaces method only considered the old-style __implements__ machinery when determining interfaces provided by a plugin instance.
  • ZODBUserManager: Already encrypted passwords were encrypted again in addUser and updateUserPassword. (http://www.zope.org/Collectors/Zope/1926)
  • Made sure the emergency user via HTTP basic auth always wins, no matter how borken the plugin landscape.

Other

  • cleaned up code in CookieAuthHelper which allowed the form to override login/password if a cookie had already been set.
  • Removed some BBB code for Zope versions < 2.8, which is not needed since we require Zope > 2.8.5 nowadays.