Merged: PLIP 2092 Replace portal_skins-based login with a browserview-based one

I am glad to report the merging of https://github.com/plone/Products.CMFPlone/issues/2092 or in other words: plone.login was merged into Plone 5.2 coredev in Products.CMFPlone.

The whole plone.login development goes back to 2014

In 2014 at the Emerald Sprint the package https://github.com/plone/plone.login was created. It is based on z3c.form and is used in various projects but was never finished. Since then some aspects of it have been reimplemented (e.g. password-reset and registration-forms) in various places but the main thing (the login) is still based on skin scripts.

The new forms and views could either live in plone.login or moved to Products.CMFPlone. For now we have them in plone.login so it can be used as a add-on.

Roughly one year ago @esteele and @pbauer took the code and made it work and rock in a recent Plone 5.

After @agitator used the add-on in a customer project, Peter and I found it still rough and not easy to customize. So, plone.login got an overhaul. We removed complexity and template customization is now easy, with z3c.jbot. i18n-message-ids were added, a first German translation done. External login features like with pas.plugins.authomatic were added. The above all happened in the addon code. I released plone.login too - which works with Plone 5.1 (and probably with 5.0 - untested so far).

Now, the framework team decided to not add again another add-on package to the core, but move the code, mostly browser views and tests, over to Products.CMFPlone.

This was done by me (among many other tasks) at Buschenschanksprint in South Styria/Austria last week! After many tests needed some love to work with the new login system and many pre-merged were done:

Today I finally merged the code. Have fun!

Also one feature was removed. Probably rarely used and difficult to make it work, there was a feature of an non-standard single sign on between several Plone site by passing the content of the auth-tkt __ac cookie of a login-site to one or more Plone sites by using a shared secret, even cross-domain! While sharing a cookie still works using cookie-domain and a shared cookie - as its standard, the (in our opinion amongst the sprinters last week) hacky way was removed. It caused headache, blew up the code and better does not live as a recommended way for SSO in Plone core. If someone out there really depends on this feature, please go and create an add-on. In our opinion there are better ways to do SSO, like using OAuth2, Shibboleth/SAML2 or some other widely accepted way.

I am sure there are some bugs left. Test coverage on our login system is really good, but anyway I already found one https://github.com/plone/Products.CMFPlone/issues/2451. Any hint appreciated.

Before you start complaining about the new login after Plone 5.2 is released final, just test it. At least as soon as a alpha or beta is out. Otherwise I will point you to this post!

Finally, together with the current efforts in migrating code to work in Python 3, this was the last place, where Products.CMFFormController were used in core in packages planned to run in Python 3. So, we can move it out of core into the outer ecosystem around Plone, similar to Archetypes.

6 Likes

Great work!

1 Like

A good gardener knows when and where to cut. Congrats.