Fedora 12 Update: python-repoze-who-1.0.18-2.fc12

updates at fedoraproject.org updates at fedoraproject.org
Tue Aug 17 05:32:16 UTC 2010 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-8006
2010-05-06 02:05:09
--------------------------------------------------------------------------------

Name        : python-repoze-who
Product     : Fedora 12
Version     : 1.0.18
Release     : 2.fc12
URL         : http://pypi.python.org/pypi/repoze.who
Summary     : An identification and authentication framework for WSGI
Description :
repoze.who is an identification and authentication framework for arbitrary WSGI
applications.  It acts as WSGI middleware.

repoze.who is inspired by Zope 2's Pluggable Authentication Service (PAS) (but
repoze.who is not dependent on Zope in any way; it is useful for any WSGI
application).  It provides no facility for authorization (ensuring whether a
user can or cannot perform the operation implied by the request).  This is
considered to be the domain of the WSGI application.

--------------------------------------------------------------------------------
Update Information:

1.0.18 (2009-11-05)    * Issue #104: AuthTkt plugin was passing an invalid
cookie value in headers from forget, and was not setting the Max-Age and Expires
attributes of those cookies.    1.0.17 (2009-11-05)    * Fixed the
repoze.who.plugins.form.make_plugin factory's formcallable argument handling, to
allow passing in a dotted name (e.g., from a config file).    1.0.16
(2009-11-04)    * Exposed formcallable argument for
repoze.who.plugins.form.FormPlugin to the callers of the
repoze.who.plugins.form.make_plugin factory. Thanks to Roland Hedburg for the
report.  * Fixed an issue that caused the following symptom when using the ini
configuration parser: TypeError: _makePlugin() got multiple values for keyword
argument 'name' See http://bugs.repoze.org/issue92 for more details. Thanks to
vaab for the bug report and initial fix.    1.0.15 (2009-06-25)    * If the form
post value max_age exists while in the identify method is handling the
login_handler_path, pass the max_age value in the returned identity dictionary
as max_age. See the below bullet point for why.  * If the identity dict passed
to the auth_tkt remember method contains a max_age key with a string (or
integer) value, treat it as a cue to set the Max-Age and Expires headers in the
returned cookies. The cookie Max-Age is set to the value and the Expires is
computed from the current time.    1.0.14 (2009-06-17)    * Fix test breakage on
Windows. See http://bugs.repoze.org/issue79 .  * Documented issue with using
include_ip setting in the auth_tkt plugin. See http://bugs.repoze.org/issue81 .
* Added 'passthrough_challenge_decider', which avoids re-challenging 401
responses which have been "pre-challenged" by the application.  * One-hundred
percent unit test coverage.  * Add timeout and reissue_time arguments to the
auth_tkt identifier plugin, courtesty of Paul Johnston.  * Add a userid_checker
argument to the auth_tkt identifier plugin, courtesty of Gustavo Narea.  If
userid_checker is provided, it must be a dotted Python name that resolves to a
function which accepts a userid and returns a boolean True or False, indicating
whether that user exists in a database. This is a workaround. Due to a design
bug in repoze.who, the only way who can check for user existence is to use one
or more IAuthenticator plugin authenticate methods. If an IAuthenticator's
authenticate method returns true, it means that the user exists. However most
IAuthenticator plugins expect both a username and a password, and will return
False unconditionally if both aren't supplied. This means that an authenticator
can't be used to check if the user "only" exists. The identity provided by an
auth_tkt does not contain a password to check against. The actual design bug in
repoze.who is this: when a user presents credentials from an auth_tkt, he is
considered "preauthenticated". IAuthenticator.authenticate is just never called
for a "preauthenticated" identity, which works fine, but it means that the user
will be considered authenticated even if you deleted the user's record from
whatever database you happen to be using. However, if you use a userid_checker,
you can ensure that a user exists for the auth_tkt supplied userid. If the
userid_checker returns False, the auth_tkt credentials are considered "no good".
--------------------------------------------------------------------------------
ChangeLog:

* Tue May  4 2010 Luke Macken <lmacken at redhat.com> - 1.0.18-2
- Run the test suite in %check
* Mon Apr 26 2010 Felix Schwarz <felix.schwarz at oss.schwarz.eu> - 1.0.18-1
- Update to the latest upstream release.
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update python-repoze-who' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list