Re: [Zope-Coders] Wrong username and password == Anonymous User?
On Fri, Apr 22, 2005 at 09:11:28AM +0100, Chris Withers wrote: | Sidnei da Silva wrote: | | >Well, my use-case is actually for WebDAV. So you won't just visit a | >different part of the site at random. I'm currently trying to | >understand if this would be a problem for WebDAV too. | | Nevertheless, since you're in the code alrady, can you add the big | comment explaining why it is like it is? | (or tell me a file and line number so I can do it) There's a patch attached to the first message of the thread. -- Sidnei da Silva <[EMAIL PROTECTED]> http://awkly.org - dreamcatching :: making your dreams come true http://www.enfoldsystems.com http://plone.org/about/team#dreamcatcher So... XML. *** Quits: dash:#twisted [EMAIL PROTECTED] (Read error: 113 (No route to host)) Wow... just _saying_ it makes him disappear ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
Sidnei da Silva wrote: Well, my use-case is actually for WebDAV. So you won't just visit a different part of the site at random. I'm currently trying to understand if this would be a problem for WebDAV too. Nevertheless, since you're in the code alrady, can you add the big comment explaining why it is like it is? (or tell me a file and line number so I can do it) cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
Lennart Regebro wrote: I don't think that's the case. I have a specific requirement on the project I'm currently working on to know who the current user is, even if the something is anonymously accessible. So you *allow* authorization, and use it, but you don't *require* it. No. I was to authenticate when credentials are present rather than waiting until authorization is required before starting ot look for authentication credentials... Perhaps userfolders should have the opportunity to do something as they're traversed through to authenticate, rather than waiting until something that requires authorisation kicks them off? Sounds reasonable. Any ideas where/how that should be implemented? Well, I have to say I was really disappointed when I read the W3C specs for response codes. They freely interchange authentication and authorization, which are two totally different concepts :-( Right. Well, I hope you use of "authorization" after "*allow*" was an accident then ;-) cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On Thu, Apr 21, 2005 at 01:11:57PM +0100, Chris Withers wrote: | Indeed. So, this explains the reason why incorrect auth credentials | result in an anoymous user rather than an auth failure. Read that way, I | think it should stay that way, unless anyone can suggest anything better. | However, it might help if whoever's "in" this code currently adds a big | comment explaining the reasoning. Sidnei? Well, my use-case is actually for WebDAV. So you won't just visit a different part of the site at random. I'm currently trying to understand if this would be a problem for WebDAV too. -- Sidnei da Silva <[EMAIL PROTECTED]> http://awkly.org - dreamcatching :: making your dreams come true http://www.enfoldsystems.com http://plone.org/about/team#dreamcatcher Passwords are implemented as a result of insecurity. ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On 4/21/05, Chris Withers <[EMAIL PROTECTED]> wrote: > > If it's accessible by anonymous that is the same as not requiring > > authorization. > > I don't think that's the case. I have a specific requirement on the > project I'm currently working on to know who the current user is, even > if the something is anonymously accessible. So you *allow* authorization, and use it, but you don't *require* it. > Perhaps userfolders should have the opportunity to do something as > they're traversed through to authenticate, rather than waiting until > something that requires authorisation kicks them off? Sounds reasonable. > > Nope, not IE. Yes, that is non-standard. > > Are you sure? I'm pretty sure I remember the ZMI's "logout" link working > in IE, and that relies on returning 401's... Last time I checked it didn't work. > > But they do that so that if > > you click on something that you can NOT access, you can continue > > surfing without having to log in again. Which actually is pretty > > reasonable in a way. > > ...not if they don't also provide a method to consciously drop basic > auth headers ;-) Yet Another Crappy Standard. > Well, I have to say I was really disappointed when I read the W3C specs > for response codes. They freely interchange authentication and > authorization, which are two totally different concepts :-( Right. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
Lennart Regebro wrote: Supposedly you would not be able to access that part of the site until you authenticate against it. Isn't that the case now? Assuming it requires authentication, yes. And if it doesn't require authentication? It would fail, since you supplied incorrect authentication. That's pretty counter-intuitive. You are logged in, and click on a part of the site where you should not need authentication, and you get authentication errors. ;) Indeed. So, this explains the reason why incorrect auth credentials result in an anoymous user rather than an auth failure. Read that way, I think it should stay that way, unless anyone can suggest anything better. However, it might help if whoever's "in" this code currently adds a big comment explaining the reasoning. Sidnei? Also, what determines whether it requires authentication? authorisation requirements or something else? If it's accessible by anonymous that is the same as not requiring authorization. I don't think that's the case. I have a specific requirement on the project I'm currently working on to know who the current user is, even if the something is anonymously accessible. Perhaps userfolders should have the opportunity to do something as they're traversed through to authenticate, rather than waiting until something that requires authorisation kicks them off? The main problem here is that Internet Explorer doesn't allow you to log out, for example. I thought returning enough 401's usually prompts any browser to drop its basic auth? Nope, not IE. Yes, that is non-standard. Are you sure? I'm pretty sure I remember the ZMI's "logout" link working in IE, and that relies on returning 401's... But they do that so that if you click on something that you can NOT access, you can continue surfing without having to log in again. Which actually is pretty reasonable in a way. ...not if they don't also provide a method to consciously drop basic auth headers ;-) 403 Forbidden: The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead. I fail to see how this is a reasonable resonse when you request a page that is public just because your credentials are invalid in that location. It's a bit like refusing people into a public park because they have a security badge on their shirt. ;) Well, I have to say I was really disappointed when I read the W3C specs for response codes. They freely interchange authentication and authorization, which are two totally different concepts :-( However, yes, I agree your use case is important, particularly for Zope with it's devolved idea of user management, and so am now against the change Sidnei was suggesting... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On Wed, Apr 20, 2005 at 06:22:10PM +0200, Lennart Regebro wrote: > On 4/20/05, Chris Withers <[EMAIL PROTECTED]> wrote: > > Lennart Regebro wrote: > > >>Supposedly you would not be able to access that part of the site until > > >>you authenticate against it. Isn't that the case now? > > > > > > Assuming it requires authentication, yes. > > > > And if it doesn't require authentication? > > It would fail, since you supplied incorrect authentication. That's > pretty counter-intuitive. You are logged in, and click on a part of > the site where you should not need authentication, and you get > authentication errors. ;) That's what I was trying to tease out but I couldn't put my finger on it late last night. Thanks Lennart. -- Paul Winkler http://www.slinkp.com ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On 4/20/05, Chris Withers <[EMAIL PROTECTED]> wrote: > Lennart Regebro wrote: > >>Supposedly you would not be able to access that part of the site until > >>you authenticate against it. Isn't that the case now? > > > > Assuming it requires authentication, yes. > > And if it doesn't require authentication? It would fail, since you supplied incorrect authentication. That's pretty counter-intuitive. You are logged in, and click on a part of the site where you should not need authentication, and you get authentication errors. ;) > Also, what determines whether it requires authentication? authorisation > requirements or something else? If it's accessible by anonymous that is the same as not requiring authorization. > > The main problem here is that Internet Explorer doesn't allow you to > > log out, for example. > > I thought returning enough 401's usually prompts any browser to drop its > basic auth? Nope, not IE. Yes, that is non-standard. But they do that so that if you click on something that you can NOT access, you can continue surfing without having to log in again. Which actually is pretty reasonable in a way. > > So, in principal, invalid credentials should raise an error, but in > > practice, you can't do that if you use Simple HTTP authentication. > > Why not? Surely they should just get a 403 response? 403 Forbidden: The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead. I fail to see how this is a reasonable resonse when you request a page that is public just because your credentials are invalid in that location. It's a bit like refusing people into a public park because they have a security badge on their shirt. ;) -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
Lennart Regebro wrote: Supposedly you would not be able to access that part of the site until you authenticate against it. Isn't that the case now? Assuming it requires authentication, yes. And if it doesn't require authentication? Also, what determines whether it requires authentication? authorisation requirements or something else? The main problem here is that Internet Explorer doesn't allow you to log out, for example. I thought returning enough 401's usually prompts any browser to drop its basic auth? So, in principal, invalid credentials should raise an error, but in practice, you can't do that if you use Simple HTTP authentication. Why not? Surely they should just get a 403 response? cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On 4/20/05, Sidnei da Silva <[EMAIL PROTECTED]> wrote: > Supposedly you would not be able to access that part of the site until > you authenticate against it. Isn't that the case now? Assuming it requires authentication, yes. The main problem here is that Internet Explorer doesn't allow you to log out, for example. So, in principal, invalid credentials should raise an error, but in practice, you can't do that if you use Simple HTTP authentication. With other authentication schemes, where you can log out properly, it's would be possible. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On Tue, Apr 19, 2005 at 11:06:05PM -0400, Paul Winkler wrote: | > Again: | > | > - Not sending credentials is fine for anonymous pages | > - Sending valid credentials is fine for all pages | > - Sending invalid credentials should fail as early as possible. | | What should happen if your credentials are valid in one part of the site | and invalid in another part? Supposedly you would not be able to access that part of the site until you authenticate against it. Isn't that the case now? -- Sidnei da Silva <[EMAIL PROTECTED]> http://awkly.org - dreamcatching :: making your dreams come true http://www.enfoldsystems.com http://plone.org/about/team#dreamcatcher Firme que nem prego em polenta. ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On Tue, Apr 19, 2005 at 11:53:33PM -0300, Sidnei da Silva wrote: > On Wed, Apr 20, 2005 at 12:38:42PM +1000, Richard Jones wrote: > | On Wed, 20 Apr 2005 12:09 pm, Sidnei da Silva wrote: > | > - If you want to access a anonymous page, you will *not* be sending > | > auth credentials. > | > | Why do you say that? Cooke auth doesn't distinguish between anonymous pages > | and pages that require a user, so the cookie will be sent for every > request. > | IIRC, this is also how Basic Auth works, once your browser knows you've got > | valid credentials for a site. > > That is totally fine. As long as the credentials are valid. If they > are invalid you should be promptly requested to provide valid > credentials no? > > Again: > > - Not sending credentials is fine for anonymous pages > - Sending valid credentials is fine for all pages > - Sending invalid credentials should fail as early as possible. What should happen if your credentials are valid in one part of the site and invalid in another part? -- Paul Winkler http://www.slinkp.com ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On Wed, Apr 20, 2005 at 12:38:42PM +1000, Richard Jones wrote: | On Wed, 20 Apr 2005 12:09 pm, Sidnei da Silva wrote: | > - If you want to access a anonymous page, you will *not* be sending | > auth credentials. | | Why do you say that? Cooke auth doesn't distinguish between anonymous pages | and pages that require a user, so the cookie will be sent for every request. | IIRC, this is also how Basic Auth works, once your browser knows you've got | valid credentials for a site. That is totally fine. As long as the credentials are valid. If they are invalid you should be promptly requested to provide valid credentials no? Again: - Not sending credentials is fine for anonymous pages - Sending valid credentials is fine for all pages - Sending invalid credentials should fail as early as possible. -- Sidnei da Silva <[EMAIL PROTECTED]> http://awkly.org - dreamcatching :: making your dreams come true http://www.enfoldsystems.com http://plone.org/about/team#dreamcatcher All the existing 2.0.x kernels are to buggy for 2.1.x to be the main goal. -- Alan Cox ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 20 Apr 2005 12:09 pm, Sidnei da Silva wrote: > - If you want to access a anonymous page, you will *not* be sending > auth credentials. Why do you say that? Cooke auth doesn't distinguish between anonymous pages and pages that require a user, so the cookie will be sent for every request. IIRC, this is also how Basic Auth works, once your browser knows you've got valid credentials for a site. Richard -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCZcCyrGisBEHG6TARAvRoAJ4sWIc5jy9gmMmOR5dgfg8EVj4msACeIM80 fpLGmzjaZ7aJ8wG7uD0pH8g= =aSFF -END PGP SIGNATURE- ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
[Zope-Coders] Wrong username and password == Anonymous User?
So, here's a tricky one. In BaseRequest.traverse(), when invalid credentials are supplied, the validation will return the special 'Anonymous User' and proceed. Later in the game, if the 'current user' (in this case 'Anonymous User') is not allowed to access something, an 'Unauthorized' exception is raised. Mark Hammond has been arguing me for hours now, and has convinced me that this is wrong. Why? - If you want to access a anonymous page, you will *not* be sending auth credentials. - If you *are* supplying credentials, they must either be *valid* or *invalid*. Falling back to 'Anonymous User' just hides the fact that you have provided wrong credentials. - Falling back to 'Anonymous User' will eventually fail down the path, unless, by luck, everything you need to access in that request is accessible to the 'Anonymous User'. It might fail quite deep inside Zope, thus possibly masking the real issue. - Anyone sending wrong credentials and *expecting* that Zope will fallback to 'Anonymous User' knows and is actively abusing ZPublisher internals. - Falling back to 'Anonymous User' and proceeding might also consume more resources than it really should in this case. In any case, if someone is depending on this behaviour, he has a broken application that must be fixed. The patch (attached) is very short and simple, and I can't think of a single reasonable, sane case that would break with this change. If no-one has a real reason for not checkin this in, I would like to make the change in Zope 2.7 and trunk as IMO it's a bug. -- Sidnei da Silva <[EMAIL PROTECTED]> http://awkly.org - dreamcatching :: making your dreams come true http://www.enfoldsystems.com http://plone.org/about/team#dreamcatcher we need PB for C# * moshez squishes glyph glyph: squishy insane person Index: lib/python/ZPublisher/BaseRequest.py === RCS file: /cvs-repository/Packages/ZPublisher/Attic/BaseRequest.py,v retrieving revision 1.51.2.4 diff -u -r1.51.2.4 BaseRequest.py --- lib/python/ZPublisher/BaseRequest.py2 Dec 2004 16:49:28 - 1.51.2.4 +++ lib/python/ZPublisher/BaseRequest.py20 Apr 2005 02:14:19 - @@ -387,7 +387,7 @@ request['PUBLISHED'] = parents.pop(0) # Do authorization checks -user=groups=None +user=groups=auth=None i=0 if 1: # Always perform authentication. @@ -452,6 +452,12 @@ if validated_hook is not None: validated_hook(self, user) request['AUTHENTICATED_USER']=user request['AUTHENTICATION_PATH']='/'.join(steps[:-i]) + +if auth is not None: +from AccessControl.User import nobody +from Acquisition import aq_base +if aq_base(user) is nobody: +response.unauthorized() # Remove http request method from the URL. request['URL']=URL ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
