[Zope-Coders] Towards 2.6

Chris McDonough chrism@zope.com
16 Oct 2002 13:31:24 -0400 

I would also like to add the following bugfix (primarily geared towards
solving a ZC customer issue).  I'd like to make it possible to be able
for users to change their login names without effecting local roles and
other security-related data structures.  Zope Users were always intended
to work this way, but for hysterical raisins, they current don't.

The default "BasicUser" class in AccessControl takes a halfhearted stab
at differentiating between the user "id" and the user "name".  But the
"SimpleUser" subclass of it makes no distinction, and there are some
other bits in the code that use "getUserName" against a user that should
really use "getId".

I'm confident that this can be done without impacting backwards
compatibility.

If no one has violent opposal, I will be checking something in to the
trunk and the 2.6 branch that does this; it will primarily consist of
changes to the User module, the UI for the default user folder, and some
changes from "getUserName" in reliant code to "getId" (traversal
security, etc).

- C

On Wed, 2002-10-16 at 12:08, Florent Guillaume wrote:
> FYI here are the things I want to fix before 2.6 (b3 or final):
> 
> - Check in something fixing i18n and Unicode handling for the cases I
>   outlined recently. There is too much legacy pages that won't be able
>   to use Unicode at all otherwise. See the thread at
>   http://lists.zope.org/pipermail/zope-coders/2002-September/002110.html
>   for details.
> 
> - Fix all the unqualified <dtml-var foo> in the code that are potential
>   XSS security bugs. I have a patch that does most of it, actually that
>   removes 95% of the <dtml-var foo> to replace them by &dtml-foo;, which
>   is the right thing in most cases. Note that it helps auditability a
>   lot to be able to grep for '<dtml-var'.
> 
> - Maybe improve Catalog speed for CMF, see
>   http://lists.zope.org/pipermail/zope-coders/2002-October/002210.html
>   I understand it's better to code something in a branch to get feedback
>   too, I'll do that.
> 
> Florent
> 
> -- 
> Florent Guillaume, Nuxeo (Paris, France)
> +33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com
> 
> _______________________________________________
> Zope-Coders mailing list
> Zope-Coders@zope.org
> http://lists.zope.org/mailman/listinfo/zope-coders