Package: zope-exuserfolder Version: 0.50.1-5 Severity: important The patch used for #229003 replaces self.name with people['password'][:2] in User.py. Unfortunately, after the introduction of pluggable encryption, the assumptions behind the patch (that the first two characters in 'password' are the encryption salt) seem to not be necesarily true anymore. Thus, the encryption routine is being called with the wrong salt during authentication, leading to authentication failures.
A workaround fix is to disable the patch. A propper fix would probably require changing the encryption plugins' authentication method to take the triple (username, typed_password, stored_encrypted_password) and let them decide what the salt is.
signature.asc
Description: Digital signature
