Quantcast

Email Addresses as User Names

classic Classic list List threaded Threaded
5 messages Options
MattBowen MattBowen
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Email Addresses as User Names

Hi all,

I need to allow email addresses as user names on my plone site. Because I need a few different types of users and want to collect some additional information about my users when they join, I am making remember based users. Remember's BaseMember type does not allow @ or . in user names, so I have overloaded its ID validator to allow them. I have tested my new type, and it works, but I'm wondering if there is some reason behind not allowing punctuation in user names that I am missing. Have I opened some hideous security hole in my site, or is the remember validator there for some other reason (backwards compatibility, maybe)?

Here is my validator pattern:

ALLOWED_MEMBER_ID_PATTERN = re.compile( "^[A-Za-z][A-Za-z0-9_\.\@\-]*$" )

Any information about why remember (and Plone's default) are more restrictive would be much appreciated, as would any other advice.

Thanks,
Matt
David Bain-5 David Bain-5
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Email Addresses as User Names

Matt,
I  managed to do what you're describing, email address as username, with an ldap setup, but that might be overkill if that is your only purpose.

On 5/4/07, MattBowen <[hidden email]> wrote:

Hi all,

I need to allow email addresses as user names on my plone site. Because I
need a few different types of users and want to collect some additional
information about my users when they join, I am making remember based users.
Remember's BaseMember type does not allow @ or . in user names, so I have
overloaded its ID validator to allow them. I have tested my new type, and it
works, but I'm wondering if there is some reason behind not allowing
punctuation in user names that I am missing. Have I opened some hideous
security hole in my site, or is the remember validator there for some other
reason (backwards compatibility, maybe)?

Here is my validator pattern:

ALLOWED_MEMBER_ID_PATTERN = re.compile( "^[A-Za-z][A-Za-z0-9_\.\@\-]*$" )

Any information about why remember (and Plone's default) are more
restrictive would be much appreciated, as would any other advice.

Thanks,
Matt
--
View this message in context: http://www.nabble.com/Email-Addresses-as-User-Names-tf3693429s6750.html#a10327454
Sent from the Archetypes mailing list archive at Nabble.com.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Archetypes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/archetypes-users


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Archetypes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/archetypes-users
MattBowen MattBowen
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Email Addresses as User Names

Hi David,

Thanks for replying. It's good to know that people are doing similar things.

I had initially looked at implementing a simple PAS plugin based on the gmail auth plugin to allow my users to authenticate with their email address and to use MD5-hashed passwords, but my use case has grown to require additional fields in the user type for new registrations, so membrane/remember seems to do what i need. Furthermore, I don't want new users having their passwords stored as unsalted MD5 sums, so remember lets me create a legacy user type for migration then have new users join with a more secure hash. I am trying to avoid hooking into an external data source for my user login, and remember saves me that trouble, but I need to make sure that in my excitement I haven't done something really obviously dumb :)

However,  I can certainly learn something from your LDAP setup. With your LDAP setup, do the users login and join with the usual Plone machinery? Also, when the users go to their folders, do they have URLs like "http://www.example.com/portal/portal_memberdata/user@example.com/view"?




Thanks,
Matt

David Bain wrote
Matt,
I  managed to do what you're describing, email address as username, with an
ldap setup, but that might be overkill if that is your only purpose.
Rob Miller Rob Miller
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Email Addresses as User Names

In reply to this post by MattBowen
MattBowen wrote:

> Hi all,
>
> I need to allow email addresses as user names on my plone site. Because I
> need a few different types of users and want to collect some additional
> information about my users when they join, I am making remember based users.
> Remember's BaseMember type does not allow @ or . in user names, so I have
> overloaded its ID validator to allow them. I have tested my new type, and it
> works, but I'm wondering if there is some reason behind not allowing
> punctuation in user names that I am missing. Have I opened some hideous
> security hole in my site, or is the remember validator there for some other
> reason (backwards compatibility, maybe)?
>
> Here is my validator pattern:
>
> ALLOWED_MEMBER_ID_PATTERN = re.compile( "^[A-Za-z][A-Za-z0-9_\.\@\-]*$" )
>
> Any information about why remember (and Plone's default) are more
> restrictive would be much appreciated, as would any other advice.

Remember is restrictive in this way because Plone is restrictive in this way.
  Remember's explicit goal is to be a default Plone work-alike.

that being said, email addresses as user ids is a common request, and there's
no reason it can't be done.  changing the regex and the validation should get
you most of the way there.

the only other issue that i can think of is that with Remember, by default,
login name == user id == id of the member object.  this introduces a couple of
issues:

- member's user ids are frequently displayed in the UI of a Plone site.  if
the user id is the email address, this makes joining your site a nice way for
someone to immediately increase the amount of spam they receive, since their
email address will be very easily harvestable.

- within Zope, the id of an object is intrinsic to that object's URL.  URLs
are not allowed to contain the '@' character as a part of the path.

now there's no law saying that the user name, i.e. what you use to log in, has
to match the user id, nor that either of those need to match the id of the
member object when you're using Remember.  i punted on those issues when i
wrote Remember, however, so it may require a bit of tweaking in order to get
it to work.

on another note, you mentioned in a different post that you were considering
using the gmail auth plug-in.  currently, the Membrane PAS plug-ins (which
Remember relies upon heavily) all make the not-so-convenient assumption that
authentication will be against a piece of content, so it's not possible to use
Remember-based member content with a different authentication plug-in.  this
is a mistake that will be fixed, however; some work was done on a Membrane
branch during the Sorrento sprint towards this end, but wasn't finished.  i
don't have a schedule for when this will be finished, but i can say with
assuredness that it will be... openplans.org depends on Remember, and we plan
on supporting OpenID authentication (and possibly others) in the
not-too-distant future, so we'll need to finish this up.

hope this helps,

-r


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Archetypes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/archetypes-users
MattBowen MattBowen
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Email Addresses as User Names

Hi Rob (and others),

Thanks for replying to this thread. I've been trying to do the 'bit of work' to separate the user name from the ID, and I can get close, but my objects don't save. I think there's got to be something I'm missing, and if you, or anyone else, could give some suggestions, I'd be grateful.

Rob Miller wrote
the only other issue that i can think of is that with Remember, by default,
login name == user id == id of the member object.
I've tried to take these apart in my custom type's schema. I've added a stringField called 'id', which looks like this guy:
   #Inspired by Archetype's BaseObject schema
    StringField('id',
                required=0,
                accessor='getId',
                mutator='setId',
                mode='rw',
                read_permission=VIEW_PUBLIC_PERMISSION,
                write_permission=EDIT_ID_PERMISSION,
                default=None,
                widget=IdWidget( label=u'Short Name',
                                 description=u'Should not contain spaces, underscores or mixed case. '\
                                 'Short Name is part of the item\'s web address.',
                                 visible={'view' : 'invisible'}
                                 ),
                regfield=0, ## this field is not on the registration form
                user_property=True,
                ),

I then added a username field as follows:
    StringField('user_name',
                required=1,
                accessor='getUser_name',
                mode='rw',
                read_permission=VIEW_PUBLIC_PERMISSION,
                write_permission=EDIT_ID_PERMISSION,
                default=None,
                index=('membrane_tool/ZCTextIndex,lexicon_id=member_lexicon,index_type=Cosine Measure|TextIndex:brains',
                       'FieldIndex:brains'),
                widget=IdWidget(label='User name',
                                    label_msgid='label_user_name',
                                    size=10,
                                    maxlength=25,
                                    description="Enter a user name, usually something like "
                                    "'jsmith'. Email addresses are OK. User "
                                    "names and passwords are case sensitive, make sure "
                                    "the capslock key is not enabled. This is the name "
                                    "used to log in.",
                                    description_msgid='help_user_name_creation_casesensitive',
                                    i18n_domain='plone',
                                    display_autogenerated=0,
                                    macro='memid',
                                    ),
                regfield=1,  ### this field is part of the registration form
                user_property=True,
                ),
   
    ),
                )


I've overridden getUserName to refer to my new field (return self.getUser_name()).

The addMember (portal/createMember?type_name=legacyUser) form looks the way I'd expect, with a User Name field at the bottom that's required. However, when I try to create a new user, it just returns me to the form with the message "Changes saved." and the password and user names fields blank. The changes are not saved and the user's never created. So it's not working, but I'm not getting any errors (running zope fg).

Anyone have any idea what I'm missing? Is there some way to explicitly tell Plone that the ID is no longer the user name, since that's an important field?

Thanks!
Matt
Loading...