Brian Lloyd wrote: > > > That's a problem. Root index_html is viewable by > > Anonymous user - Zope > > > should not complain about wrong (not in acl_users) login/password. > > > > It seems Zope doesn't like being presented with Authentication > > information it knows nothing about. A more graceful way of > > dealing with > > this would be to say 'I don't know who you are, so I'm going to treat > > you as anonymous' rather than 'I don't know who you are, so > > f- off' ;-) > The old (broken) behavoir was that if credentials were sent, > then an unauthorized was raised if a matching user could not > be found to match those credentials. > > The new behavior is that if credentials are sent *and* no > matching user is found *and* the resource being requested > is accessible by Anonymous then the Anonymous user is used. This is great and works as expected. I've converted it into a patch for 2.1.6 which is attached, in case anyone wants it. I've also CC'ed in Ty Sarna since LoginManager, GUF and several other things have (recently ;-) changed to support the broken logic, so they probably need to change back now... :-S Many thanks for fixing this, my day is getting better at last :-) cheers, Chris PS: >From User.py: PermissionRole import _what_not_even_god_should_do what is that all about?! ;-)
--- User.py.old2 Tue Jul 11 18:13:50 2000 +++ User.py Tue Jul 11 18:17:13 2000 @@ -445,10 +445,16 @@ # Try to get user user=self.getUser(name) if user is None: + if self._isTop() and self._nobody.allowed(parent, roles): + user=self._nobody.__of__(self) + return user return None # Try to authenticate user if not user.authenticate(password, request): + if self._isTop() and self._nobody.allowed(parent,roles): + user=self._nobody.__of__(self) + return user return None # We need the user to be able to acquire!