"Evan Simpson" wrote Hm, in that case, wouldn't that then just recurse back through the parent folders looking for additional access controls?
Exactly :-) This can allow authentication to succeed at a higher level, while still giving you the nice inner Login page if it fails at all levels.
This isn't necessarily desirable in all cases, and you can't even *get* a basic authentication dialog when there's an inner cookie-based acl_users unless you define a method which explicitly throws 'LoginRequired'. It's still an improvement on the current default situation, though.
Should auth behave this way, tho? Should a top level acl_users take precedence over a lower level one? Doesn't that kill the ability of a manager of a subfolder to delegate control to their own users? Anthony
----- Original Message ----- From: Anthony Baxter <anthony@interlink.com.au>
Should auth behave this way, tho? Should a top level acl_users take precedence over a lower level one?
It doesn't, or at least not entirely Don't forget that a *successful* authenticate on the inner acl_users will stop the entire process right there. It's only *unsuccessful* authentications which propagate to higher levels. If you have two levels of cookie-based authentication, then the outer one will get it's page shown, of course. That sort of behavior could be made into a switch on, say, a GUF so that you can tell it whether to defer to contained GUFs or not. Cheers, Evan @ 4-am
participants (2)
-
Anthony Baxter -
Evan Simpson