Matt Hamilton wrote:

In BaseRequest.traverse(), when invalid credentials are supplied, the
validation will return the special 'Anonymous User' and proceed. Later
in the game, if the 'current user' (in this case 'Anonymous User') is
not allowed to access something, an 'Unauthorized' exception is

Yeah, how this exception is handled is something I'd like to see made more officially pluggable and the responsibility of the user folder.
In many cases, it makes much more sense to just return a 403 when this happens, rather than popping up a basic auth box inviting the user to bang their head against a brick wall trying the same username/password they did before...

I was playing around with this when writing NTLMHTTPUserFolder. We had a very strange bug that I tracked down to being that at some point in the security code (can't quite remember where) if Anonymous *could* access something then the user was being reported as Anonymous User. Not the actual user. Even if they were authenticated. This resulted in REQUEST.AUTHENTICATED_USER being correct (the logged in user) but whatever code that writes the username at the top of a CMF/Plone site saying Anonymous User (can't remember which method this is offhand -- getCurrentUser or something like that).

From what you describe, sounds like getSecurityManager().getUser() was returning something different to REQUEST.AUTHENTICATED_USER. The way you describe it makes it sound like getUser() had a bug, but then again, you could be observing side effects of the fact that REQUEST.AUTHENTICATED_USER was deprecated several years ago ;-)

We also do something similar with dropping back to Anon.

Except you don't, as I understand it. You drop back to a user called "Unauthenticated User" which has the same roles as an authenticated user, which I personally find horrible ;-)

I'd much prefer to see the intranet in question be anonymously accessible, as it should be, with authentication happening if the credentials are there, rather than if authentication is required.

__bobo_travese__ anyone?



Simplistix - Content Management, Zope & Python Consulting
Zope-Coders mailing list

Reply via email to