A major vulnerability has been discovered. When a user logs in with Janrain using AOL, Janrain reports an identifier=None instead of a valid unique id for the user as it normally does. Therefore is two different people login in a web2py application using different AOL accounts, Janrain reports them as the same person.
I have just pushed a partial fix to trunk that prevents login when the Janrain identifier is set to None. that means you cannot login in web2py with AOL. According to the Janrain online docs, the identifier should be unique for every user but it does not appear to be the case for AOL users. Even if you do not wish to upgrade, copy gluon/contrib/login_methods/ rpx_account.py from trunk into your version. Massimo
