Brian Lloyd wrote:

...

...

That's a problem. Root index_html is viewable by Anonymous user - Zope should not complain about wrong (not in acl_users) login/password.

It seems Zope doesn't like being presented with Authentication information it knows nothing about. A more graceful way of dealing with this would be to say 'I don't know who you are, so I'm going to treat you as anonymous' rather than 'I don't know who you are, so f- off' ;-)

The old (broken) behavoir was that if credentials were sent, then an unauthorized was raised if a matching user could not be found to match those credentials.

The new behavior is that if credentials are sent *and* no matching user is found *and* the resource being requested is accessible by Anonymous then the Anonymous user is used.

This is great and works as expected. I've converted it into a patch for 2.1.6 which is attached, in case anyone wants it. I've also CC'ed in Ty Sarna since LoginManager, GUF and several other things have (recently ;-) changed to support the broken logic, so they probably need to change back now... :-S Many thanks for fixing this, my day is getting better at last :-) cheers, Chris PS:

From User.py:

PermissionRole import _what_not_even_god_should_do what is that all about?! ;-) --- User.py.old2 Tue Jul 11 18:13:50 2000 +++ User.py Tue Jul 11 18:17:13 2000 @@ -445,10 +445,16 @@ # Try to get user user=self.getUser(name) if user is None: + if self._isTop() and self._nobody.allowed(parent, roles): + user=self._nobody.__of__(self) + return user return None # Try to authenticate user if not user.authenticate(password, request): + if self._isTop() and self._nobody.allowed(parent,roles): + user=self._nobody.__of__(self) + return user return None # We need the user to be able to acquire!