id,summary,reporter,owner,description,type,status,priority,component,severity,resolution,keywords,cc,release
5964,[patch] Prevent multiple calls to LoginModule._remote_user(),ebray,hasienda,I was having a problem where if a user logs in with invalid credentials using the form-based login_ authentication would be performed twice.  Why this happens is complicated_ and has to do with additional plugins that implement `IRequestFilter`_ so I won't go into the details right now_ but am willing to if necessary.\r\n\r\nRegardless_ I don't think `LoginModule._remote_user()` (and by extension `AccountManager.check_password()`) should be called more than once in the request.  This is especially a problem in my case_ where users who're authenticating against an LDAP server are being locked out of their accounts due to invalid logins much faster than they should.\r\n\r\nThis was my solution--in my setup the only thing that should be setting the 'REMOTE_USER' environment variable is the account manager plugin.  Though maybe a more flexible approach would be desired:\r\n\r\n{{{\r\n#!diff\r\nIndex: web_ui.py\r\n===================================================================\r\n--- web_ui.py   (revision 6688)\r\n+++ web_ui.py   (working copy)\r\n@@ -437_7 +437_8 @@\r\n \r\n    def authenticate(self_ req):\r\n        if req.method == 'POST' and req.path_info.startswith('/login'):\r\n-            req.environ['REMOTE_USER'] = self._remote_user(req)\r\n+            if 'REMOTE_USER' not in req.environ:\r\n+                req.environ['REMOTE_USER'] = self._remote_user(req)\r\n        return auth.LoginModule.authenticate(self_ req)\r\n    authenticate = if_enabled(authenticate)\r\n}}},enhancement,closed,normal,AccountManagerPlugin,normal,fixed,ldap authentication,rjollos,0.11