So, here's a tricky one. In BaseRequest.traverse(), when invalid credentials are supplied, the validation will return the special 'Anonymous User' and proceed. Later in the game, if the 'current user' (in this case 'Anonymous User') is not allowed to access something, an 'Unauthorized' exception is raised.
Mark Hammond has been arguing me for hours now, and has convinced me that this is wrong. Why? - If you want to access a anonymous page, you will *not* be sending auth credentials. - If you *are* supplying credentials, they must either be *valid* or *invalid*. Falling back to 'Anonymous User' just hides the fact that you have provided wrong credentials. - Falling back to 'Anonymous User' will eventually fail down the path, unless, by luck, everything you need to access in that request is accessible to the 'Anonymous User'. It might fail quite deep inside Zope, thus possibly masking the real issue. - Anyone sending wrong credentials and *expecting* that Zope will fallback to 'Anonymous User' knows and is actively abusing ZPublisher internals. - Falling back to 'Anonymous User' and proceeding might also consume more resources than it really should in this case. In any case, if someone is depending on this behaviour, he has a broken application that must be fixed. The patch (attached) is very short and simple, and I can't think of a single reasonable, sane case that would break with this change. If no-one has a real reason for not checkin this in, I would like to make the change in Zope 2.7 and trunk as IMO it's a bug. -- Sidnei da Silva <[EMAIL PROTECTED]> http://awkly.org - dreamcatching :: making your dreams come true http://www.enfoldsystems.com http://plone.org/about/team#dreamcatcher <glyph> we need PB for C# * moshez squishes glyph <moshez> glyph: squishy insane person
Index: lib/python/ZPublisher/BaseRequest.py =================================================================== RCS file: /cvs-repository/Packages/ZPublisher/Attic/BaseRequest.py,v retrieving revision 1.51.2.4 diff -u -r1.51.2.4 BaseRequest.py --- lib/python/ZPublisher/BaseRequest.py 2 Dec 2004 16:49:28 -0000 1.51.2.4 +++ lib/python/ZPublisher/BaseRequest.py 20 Apr 2005 02:14:19 -0000 @@ -387,7 +387,7 @@ request['PUBLISHED'] = parents.pop(0) # Do authorization checks - user=groups=None + user=groups=auth=None i=0 if 1: # Always perform authentication. @@ -452,6 +452,12 @@ if validated_hook is not None: validated_hook(self, user) request['AUTHENTICATED_USER']=user request['AUTHENTICATION_PATH']='/'.join(steps[:-i]) + + if auth is not None: + from AccessControl.User import nobody + from Acquisition import aq_base + if aq_base(user) is nobody: + response.unauthorized() # Remove http request method from the URL. request['URL']=URL
_______________________________________________ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders