On Dec 8, 2005, at 10:58 AM, Sidnei da Silva wrote:
On Thu, Dec 08, 2005 at 10:11:46AM -0500, Gary Poster wrote: | ... Sounds good to me.
Only one issue that you should have in mind, and that has bitten me several times with the Zope 2 PluggableAuthService is the following: If you use the 'HTTPBasicAuthHelper' for login, that doesn't mean you can use it for logout. That is specially true if you happen to use the 'CookieAuthHelper', which translates cookie-based credentials to http basic. What happens is that it in PAS, if you call logout() it will call all the 'ICredentialsReset', however if the HTTPBasicHelper happens to be one of those, it will raise a 'Unauthorized' exception, because that's how you log someone out using http basic auth, and then two things happen: 1. The cookie credentials don't get erased because of the Unathorized 2. Any plugins that happened to be enabled for ICredentialsReset won't fire.
Thanks: that is interesting, and answers some idle questions I had lying around in my head.
In the case of the Zope 3 pluggable auth, though, there are a number of reasons why this (currently) doesn't come into play. A particularly pertinent reason is that the default basic auth plug-in doesn't do the 'raise Unauthorized' trick--it just rolls over and plays dead (i.e., 'pass'). Logging out is effectively not available if you are logged in via the standard basic auth. This is a case in which you would not want to offer 'log out' in the UI (or you'd want to work out some other compromise).
Gary _______________________________________________ Zope3-dev mailing list Zope3email@example.com Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com