Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Zope: Users

change password through script messes up session

  

 
Zope users RSS feed   Index | Next | Previous | View Threaded


teebes at gmail

Oct 5, 2008, 6:48 PM

Post #1 of 6 (373 views)
Permalink
change password through script messes up session
Hello all,

I'm trying to write a piece of code that just changes the password of a
user as they are logged in. This is in a Script(Python). I'm using PAS and
CookieCrumbler and the code is as follows:
container.acl_users.users.manage_updateUserPassword(user['id'],password,password)

This does work and change the password, however what happens then is
anytime I try to access a resource that I could view prior to changing the
password, I get a basic pop-up auth login prompt (even though I'm using
CookieCrumbler), and entering the new creds doesn't work. If I logout
through the login/logout link and log back in with the web form, everything
is fine (and the new creds do work then).

Here is the error that's thrown in the logs:

Traceback (innermost last):
Module ZPublisher.Publish, line 106, in publish
Module ZPublisher.BaseRequest, line 468, in traverse
Module ZPublisher.HTTPResponse, line 687, in unauthorized

Unauthorized: <strong>You are not authorized to access this resource.</strong>


So basically, I can't access any protected object until I log out and log
back in.

Anyone have any insight here? I've been trying to read the Plone source
code to figure out how they do it but I can't get their code to work... I've
been searching around for an answer to this all weekend but can't find
anything :(

Thanks for the help,

- Teebes


l at lrowe

Oct 6, 2008, 6:52 AM

Post #2 of 6 (355 views)
Permalink
Re: change password through script messes up session [In reply to]
IIRC CookieCrumbler just stores the username:password on the __ac
cookie. You probably need to force it to set another cookie when you
change the password, or move to a different implementation like
plone.session that uses signed cookies and avoids the requirement to
store the password on a cookie.

Laurence

Thibaud Morel l'Horset wrote:
> Hello all,
>
> I'm trying to write a piece of code that just changes the password of
> a user as they are logged in. This is in a Script(Python). I'm using PAS
> and CookieCrumbler and the code is as follows:
> container.acl_users.users.manage_updateUserPassword(user['id'],password,password)
>
> This does work and change the password, however what happens then is
> anytime I try to access a resource that I could view prior to changing
> the password, I get a basic pop-up auth login prompt (even though I'm
> using CookieCrumbler), and entering the new creds doesn't work. If I
> logout through the login/logout link and log back in with the web form,
> everything is fine (and the new creds do work then).
>
> Here is the error that's thrown in the logs:
>
> Traceback (innermost last):
> Module ZPublisher.Publish, line 106, in publish
> Module ZPublisher.BaseRequest, line 468, in traverse
> Module ZPublisher.HTTPResponse, line 687, in unauthorized
>
>
> Unauthorized: <strong>You are not authorized to access this resource.</strong>
>
>
> So basically, I can't access any protected object until I log out and
> log back in.
>
> Anyone have any insight here? I've been trying to read the Plone
> source code to figure out how they do it but I can't get their code to
> work... I've been searching around for an answer to this all weekend but
> can't find anything :(
>
> Thanks for the help,
>
> - Teebes
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Zope maillist - Zope[at]zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )

_______________________________________________
Zope maillist - Zope[at]zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )


giampiero.benvenuti at chiaroscuro

Oct 6, 2008, 9:24 AM

Post #3 of 6 (353 views)
Permalink
Re: change password through script messes up session [In reply to]
Hi,

what I do:

req=context.REQUEST

context.acl_users.manage_users('Change', {'name':req['name'],
'password':req['pswd'], 'confirm':req['cpswd'], 'roles': req
['roles'], 'domains':''})



On Oct 6, 2008, at 3:48 AM, Thibaud Morel l'Horset wrote:

> Hello all,
>
> I'm trying to write a piece of code that just changes the
> password of a user as they are logged in. This is in a Script
> (Python). I'm using PAS and CookieCrumbler and the code is as follows:
> container.acl_users.users.manage_updateUserPassword(user
> ['id'],password,password)
>
> This does work and change the password, however what happens then
> is anytime I try to access a resource that I could view prior to
> changing the password, I get a basic pop-up auth login prompt (even
> though I'm using CookieCrumbler), and entering the new creds
> doesn't work. If I logout through the login/logout link and log
> back in with the web form, everything is fine (and the new creds do
> work then).
>
> Here is the error that's thrown in the logs:
> Traceback (innermost last):
> Module ZPublisher.Publish, line 106, in publish
> Module ZPublisher.BaseRequest, line 468, in traverse
> Module ZPublisher.HTTPResponse, line 687, in unauthorized
>
>
> Unauthorized: <strong>You are not authorized to access this
> resource.</strong>
>
> So basically, I can't access any protected object until I log out
> and log back in.
>
> Anyone have any insight here? I've been trying to read the Plone
> source code to figure out how they do it but I can't get their code
> to work... I've been searching around for an answer to this all
> weekend but can't find anything :(
>
> Thanks for the help,
>
> - Teebes
> _______________________________________________
> Zope maillist - Zope[at]zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )

_______________________________________________
Zope maillist - Zope[at]zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )


zopelist at betabug

Oct 6, 2008, 10:39 AM

Post #4 of 6 (353 views)
Permalink
Re: change password through script messes up session [In reply to]
(Sun, Oct 05, 2008 at 09:48:20PM -0400) Thibaud Morel l'Horset wrote/schrieb/egrapse:
> I'm trying to write a piece of code that just changes the password of a
> user as they are logged in. This is in a Script(Python). I'm using PAS and
> CookieCrumbler and the code is as follows:
> container.acl_users.users.manage_updateUserPassword(user['id'],password,password)
>
> This does work and change the password, however what happens then is
> anytime I try to access a resource that I could view prior to changing the
> password, I get a basic pop-up auth login prompt (even though I'm using
> CookieCrumbler), and entering the new creds doesn't work. If I logout
> through the login/logout link and log back in with the web form, everything
> is fine (and the new creds do work then).

AFAIK this case is documented in the CC docs, also it's quite obvious
from the CookieCrumbler API: You need to call its credentialsChanged
method.

Regards,

Sascha

_______________________________________________
Zope maillist - Zope[at]zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )


dieter at handshake

Oct 6, 2008, 10:40 AM

Post #5 of 6 (353 views)
Permalink
Re: change password through script messes up session [In reply to]
Laurence Rowe wrote at 2008-10-6 09:52 -0400:
>IIRC CookieCrumbler just stores the username:password on the __ac
>cookie. You probably need to force it to set another cookie when you
>change the password, or move to a different implementation like
>plone.session that uses signed cookies and avoids the requirement to
>store the password on a cookie.

PAS has a standard method to indicate that credentials have been changed
("updateCredentials" or something like this).

If it is used (and the plugins set up correctly), then the
"Unauthorized" should not happen -- provided the password change
is at an appropriate place (the "updateCredentials" assumes to
be called in the normal request -- not somewhere during traversal).



--
Dieter
_______________________________________________
Zope maillist - Zope[at]zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )


teebes at gmail

Oct 6, 2008, 1:18 PM

Post #6 of 6 (352 views)
Permalink
Re: change password through script messes up session [In reply to]
credentialsChanged did the trick! thanks so much... and you're right, it was
quite obvious (especially now that I see it!)

Thanks again,

- Teebes

On Mon, Oct 6, 2008 at 1:39 PM, Sascha Welter <zopelist[at]betabug.ch> wrote:

> (Sun, Oct 05, 2008 at 09:48:20PM -0400) Thibaud Morel l'Horset
> wrote/schrieb/egrapse:
> > I'm trying to write a piece of code that just changes the password of a
> > user as they are logged in. This is in a Script(Python). I'm using PAS
> and
> > CookieCrumbler and the code is as follows:
> >
> container.acl_users.users.manage_updateUserPassword(user['id'],password,password)
> >
> > This does work and change the password, however what happens then is
> > anytime I try to access a resource that I could view prior to changing
> the
> > password, I get a basic pop-up auth login prompt (even though I'm using
> > CookieCrumbler), and entering the new creds doesn't work. If I logout
> > through the login/logout link and log back in with the web form,
> everything
> > is fine (and the new creds do work then).
>
> AFAIK this case is documented in the CC docs, also it's quite obvious
> from the CookieCrumbler API: You need to call its credentialsChanged
> method.
>
> Regards,
>
> Sascha
>
> _______________________________________________
> Zope maillist - Zope[at]zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>

Zope users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.