PluggableAuthService changelog
==============================

PluggableAuthService 1.6.5 (2011-05-30)
---------------------------------------

- Launchpad #789858:  don't allow conflicting login name in 'updateUser'.

- Launchpad #672694: In the ZODBRoleManager made it clearer that
  adding a removing a role does not have much effect if you do not do
  the same in the root of the site (at the bottom of the Security tab
  at manage_access).


PluggableAuthService 1.6.4 (2010-11-04)
---------------------------------------

- Don't fail on users defined in multiple user sources on the ZODBGroupManager
  listing page.


PluggableAuthService 1.6.3 (2010-02-01)
---------------------------------------

- Fixed xml templates directory path computation to allow reuse of 
  ``SimpleXMLExportImport`` class outside ``Products.PluggableAuthService``.


PluggableAuthService 1.6.2 (2009-11-16)
---------------------------------------

- Launchpad #420319:  Fix misconfigured ``startswith`` match type filter
  in ``plugins.DomainAuthHelper``.

- Fixed test setup for tests using page templates relying on the
  DefaultTraversable adapter.

- Fixed broken markup.


PluggableAuthService 1.6.1 (2008-11-20)
---------------------------------------

- Launchpad #273680:  Avoid expensive / incorrect dive into 'enumerateUsers'
  when trying to validate w/o either a real ID or login.

- Launchpad #300321:  ZODBGroupManager.enumerateGroups failed to find
  groups with unicode IDs.


PluggableAuthService 1.6 (2008-08-05)
-------------------------------------

- Fixed another deprecation for manage_afterAdd occurring when used
  together with Five (this time for the ZODBRoleManager class).

- Ensure the _findUser cache is invalidated if the roles or groups for
  a principal change.

- Launchpad #15569586:  docstring fix.

- Factored out 'filter' logic into separate classes;  added filters
  for 'startswith' test and (if the IPy module is present) IP-range
  tests.  See https://bugs.launchpad.net/zope-pas/+bug/173580 .

- Zope 2.12 compatibility - removed Interface.Implements import if
  zope.interface available.

- Ensure ZODBRoleManagerExportImport doesn't fail if it tries to add a
  role that already exists (idempotence is desirable in GS importers)

- Fixed tests so they run with Zope 2.11.

- Split up large permission tests into individual tests.

- Fixed deprecation warning occurring when used together with
  Five. (manage_afterAdd got undeprecated.)

- Added buildout.


PluggableAuthService 1.5.3 (2008-02-06)
---------------------------------------

- ZODBUserManager plugin: allow unicode arguments to
  'enumerateUsers'. (https://bugs.launchpad.net/zope-pas/+bug/189627)

- plugins/ZODBRoleManager: added logging in case searchPrincipial()
  returning more than one result (which might happen in case of having
  duplicate id within difference user sources)


PluggableAuthService 1.5.2 (2007-11-28)
---------------------------------------

- DomainAuthHelper plugin:  fix glitch for plugins which have never
  configured any "default" policy:  'authenticateCredentials' and
  'getRolesForPrincipal' would raise ValueError.
  (http://www.zope.org/Collectors/PAS/59)


PluggableAuthService 1.5.1 (2007-09-11)
---------------------------------------

- PluggableAuthService._verifyUser: changed to use exact_match to the 
  enumerator, otherwise a user with login 'foobar' might get returned 
  by _verifyUser for a query for login='foo' because the enumerator 
  happened to return 'foobar' first in the results.

- Add a test for manage_zmi_logout and replace a call to isImplementedBy
  with providedBy.
  (http://www.zope.org/Collectors/PAS/58)


PluggableAuthService 1.5 (2006-06-17)
-------------------------------------

- Add support for property plugins returning an IPropertySheet
  to PropertiedUser. Added addPropertysheet to the IPropertiedUser.

- Added a method to the IRoleAssignerPlugin to remove roles from a
  principal, and an implementation for it on the ZODBRoleManager.
  (http://www.zope.org/Collectors/PAS/57)

- Added events infrastructure. Enabled new IPrincipalCreatedEvent and
  ICredentialsUpdatedEvent events.

- Added support for registering plugin types via ZCML.

- Implemented authentication caching in _extractUserIds.

- Ported standard user folder tests from the AccessControl test suite.

- Passwords with ":" characters would break authentication
  (http://www.zope.org/Collectors/PAS/51)

- Corrected documented software dependencies

- Converted to publishable security sensitive methods to only accept
  POST requests to prevent XSS attacks.  See
  http://www.zope.org/Products/Zope/Hotfix-2007-03-20/announcement and
  http://dev.plone.org/plone/ticket/6310

- Fixed issue in the user search filter where unrecognized keyword
  arguments were ignored resulting in duplicate search entries.
  (http://dev.plone.org/plone/ticket/6300)

- Made sure the Extensions.upgrade script does not commit full
  transactions but only sets (optimistic) savepoints. Removed bogus
  Zope 2.7 compatibility in the process.
  (http://www.zope.org/Collectors/PAS/55)

- Made the CookieAuthHelper only use the '__ac_name' field if
  '__ac_password' is also present. This fixes a login problem for
  CMF sites where the login name was remembered between sessions with
  an '__ac_name' cookie.

- Made the DomainAuthHelper return the remote address, even it the
  remote host is not available (http://www.zope.org/Collectors/PAS/49).

- Fixed bug in DelegatingMultiPlugin which attempted to validate the
  supplied password directly against the user password - updated to use
  AuthEncoding.pw_validate to handle encoding issues

- Fixed serious security hole in DelegatingMultiPlugin which allowed
  Authentication if the EmergencyUser login was passed in.  Added
  password validation utilizing AuthEncoding.pw_validate

- Fixed a set of tests that tested values computed from dictionaries 
  and could break since dictionaries are not guaranteed to have any 
  sort order.

- Fixed test breakage induced by use of Z3 pagetemplates in Zope
  2.10+.

- BasePlugin: The listInterfaces method only considered the old-style
  __implements__ machinery when determining interfaces provided by
  a plugin instance.

- ZODBUserManager: Already encrypted passwords were encrypted again in
  addUser and updateUserPassword.
  (http://www.zope.org/Collectors/Zope/1926)

- Made sure the emergency user via HTTP basic auth always wins, no matter
  how borken the plugin landscape.

- cleaned up code in CookieAuthHelper which allowed the form to override
  login/password if a cookie had already been set.

- Removed some BBB code for Zope versions < 2.8, which is not needed 
  since we require Zope > 2.8.5 nowadays.

