Sidnei da Silva wrote:
So, here's a tricky one.

In BaseRequest.traverse(), when invalid credentials are supplied, the
validation will return the special 'Anonymous User' and proceed. Later
in the game, if the 'current user' (in this case 'Anonymous User') is
not allowed to access something, an 'Unauthorized' exception is

Mark Hammond has been arguing me for hours now, and has convinced me
that this is wrong. Why?

- If you want to access a anonymous page, you will *not* be sending
  auth credentials.

- If you *are* supplying credentials, they must either be *valid* or
  *invalid*. Falling back to 'Anonymous User' just hides the fact that
  you have provided wrong credentials.

- Falling back to 'Anonymous User' will eventually fail down the path,
  unless, by luck, everything you need to access in that request is
  accessible to the 'Anonymous User'. It might fail quite deep inside
  Zope, thus possibly masking the real issue.

- Anyone sending wrong credentials and *expecting* that Zope will
  fallback to 'Anonymous User' knows and is actively abusing
  ZPublisher internals.

- Falling back to 'Anonymous User' and proceeding might also consume
  more resources than it really should in this case.

In any case, if someone is depending on this behaviour, he has a
broken application that must be fixed.

The patch (attached) is very short and simple, and I can't think of a
single reasonable, sane case that would break with this change.

If no-one has a real reason for not checkin this in, I would like to
make the change in Zope 2.7 and trunk as IMO it's a bug.

-1 without extensive testing on a branch, especially including heavy testing of basic-auth-only scenarios.

Tinkering with the machinery here after a couple of hours head-scratching ignores the fact that the machinery *works* in the teeth of all the weird behavior built into to pavane which is stateless-but-faking-it basic authentication.

Tres. -- =============================================================== Tres Seaver [EMAIL PROTECTED] Zope Corporation "Zope Dealers"

Zope-Coders mailing list

Reply via email to