redundant emergency user checks ?

Bug #908834 reported by Markos Gogoulos
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope PAS
Low
Unassigned

Bug Description

Hello all,

As I was doing some debugging on a Plone portal I came into this.

On function _extractUserIds of PluggableAuthService.py, function tryEmergencyUserAuthentication is called twice, for every file requested by Plone, in order to check if the user requesting the file is the Emergency user.... Does this have to be there, or is it somehow redundant? Is anyone using emergency user anymore?

What do you think?

Regards,
Markos

Revision history for this message
Tres Seaver (tseaver) wrote :

The emergency user is still quite valuable, allowing the site owner to
recover from a catastrophic misconfiguration of the root acl_users folder.

The checks you describe are actually not uselessly redundant: each set
of credentials extracted by the configured plugins is tried first against
the emergency user; at the end, theere is also a "default default" check
for basic auth / emergency user (even if no normal basic auth plugin is
configured).

Again, this redundancy is there for "in case of emergency break glass"
cases, which would otherwise make configuring the PAS TTW too risky.

Changed in zope-pas:
importance: Undecided → Low
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers