[Zope-PTK] Security Release: Membership 0.7.6

Michael Bernstein mbernstein@profitscape.com
Thu, 21 Sep 2000 09:17:36 -0500


Michael Bernstein wrote:
> 
> Bill Anderson wrote:
> >
> > I do have workarounds for HPUX and Solaris, but they involve modifying
> > the code to PersistenUserSource.py in Membership, to account for the
> > lack of the encryption. Specifically, to ignore all attempts to encrypt
> > anything.
> 
> Bill,
> 
> while the fix for Solaris works for the generic
> LM/Membership, it circumvents the userAuthenticate method of
> the User Source, and compares the submitted password with
> the stored password directly. That method is the one that
> I'm overriding using a Python method to call the SMB
> authentication code instead.
> 
> I didn't notice at first because I was testing with a user
> that had been added to the User Source early on, before I
> stopped the register method fronm stuffing the password into
> the user object.
> 
> > I'd rather be able to figure out _why_ it doesn't work as it should.
> 
> Me too.

I think I've found why the original 0.7.6 membership was failing with my
SMB authentication modifications:

if hasattr(self, 'userAuthenticate'):
   ^^^^^^^

The userAuthenticate method that I'm adding is a Python method dropped
into the User Source, and I suspect that the Python method is not being
picked up as an attribute of the object because it's not defined in the
PersistentUserSource.py file itself.

            old_au = setuid(self.REQUEST, _LoggingInUser)
            try:
                ok = self.userAuthenticate(
                   self, request, user=user, password=password)
            finally:
                setuid(self.REQUEST, old_au)
        else:
            encpw =  user.propertysheets.SystemProperties.password
            ok = self.comparePassword(password, encpw)

So, I suspect that the only reason that this else clause is being called
(and failing because of the platform dependency) is because of the
userAuthenticate method's 'invisibility'.

Does this seem resonable, or do I misunderstand the operation of
'hasattr'?

Michael Bernstein.