[PLIP-Advisories] Re: [Plone] #9214: support logins using e-mail address instead of user id

plip-advisories at lists.plone.org plip-advisories at lists.plone.org
Wed Oct 7 17:59:03 UTC 2009


#9214: support logins using e-mail address instead of user id
-----------------------+----------------------------------------------------
 Reporter:  davisagli  |        Owner:  maurits 
     Type:  PLIP       |       Status:  assigned
 Priority:  minor      |    Milestone:  4.0     
Component:  Unknown    |   Resolution:          
 Keywords:             |  
-----------------------+----------------------------------------------------

Comment(by dukebody):

 I'm concerned about the confusion that switching this feature on and off
 in existing sites could create. As stated in the PLIP readme:

 """
 Enabling this on a website that already has users may be confusing for
 those users.  When logging in they will be asked for their email
 address, but these existing users should actually still login with the
 login name they have chosen.
 """

 Also:
 """
 - If you change your email address, you can no longer login with your
   original email address, though that is still your user id.  A user
   created before use_email_as_login was switched on can only login
   with his original login name until the first time that he saves his
   personalize_form.  After that he needs his current email address.
   We could allow the user id to be used for login as well.  I thought
   I had that working with the collective.emaillogin package, but
   apparently not.  It can be done if we want this.  It would need a
   change in PluggableAuthService.py in the _verifyUser method;
   basically doing a second pass over that function with the passed
   login name used as user_id instead.
 """

 User id and login name are different things AFAIK. According to the
 README, the migration back to plain login names uses user ids as login
 names, mixing them (althought I have no idea about what could be a use-
 case where one needs login names different from user ids).

 Wouldn't it be simpler to create a PAS authentication plugin which
 searches the user database for a user with the entered email address and
 try to authenticate it? If there are serious perfomance problems in sites
 with many users, we could create a catalog of (user id - email) pairs.
 Also, this approach would allow both email and username login
 simultaneuslly (the email login PAS plugin just has to fail).

 My two cents. :)

-- 
Ticket URL: <http://dev.plone.org/plone/ticket/9214#comment:39>
Plone <http://plone.org>
Plone Content Management System


More information about the PLIP-Advisories mailing list