Fred Yankowski <fred@ontosys.com> wrote:
I've set up LoginManager with SQL and it's working OK, but I've run into a case where the browser pops up a basic/HTTP authentication request when I try to access a particular object inside the LoginManager-protected area.
I particular, I added the following line to the index_html DTML Document (at the same level as the LoginManager acl_users folder):
<dtml-var "_.getattr('AUTHENTICATED_USER', '__class__')">
No can do, no how, no way: attribute names beginning with "_" are absolutely verbotten in through-the-web DTML.
Without this line I can access the index_html file after logging in via the LoginManager scheme as a user with the 'Members' role. But with this line I get the basic authorization popup and if I cancel that I can see the following exception in the "Zope Error" page:
================ Traceback (innermost last): File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 222, in publish_module File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\PROGRA~1\Zope225\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File D:\PROGRA~1\Zope225\lib\python\OFS\DTMLDocument.py, line 177, in __call__ (Object: index_html) File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_String.py, line 528, in __call__ (Object: index_html) File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_Util.py, line 337, in eval (Object: _.getattr('AUTHENTICATED_USER', '__class__')) (Info: _) File <string>, line 0, in ? File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_Util.py, line 144, in careful_getattr Unauthorized: __class__ ================
So it looks like attempting to access the '__class__' attribute triggered this, but I don't understand why it lead to basic authentication. If this required 'Manager' permissions, why didn't I just get some kind of "forbidden" response?
You are already authenticated in LM, but don't (can't, acutally) have the role to do this operation (grep the Zope source for '_what_not_even_god_should_do'). The LM can't authenticate you for what you asked, so you bang out to Zope's default, which is to try basic auth. In this case, it is particularly pointless, as there does not exist *any* user who can execute your method.
It looks like the careful_getattr() function will raise a ValidationError on any attempt to access a variable whose name starts with '_'. Fine, maybe I was being naughty. But I still don't understand why this wasn't handled using LoginManager. How can I keep Basic/HTTP authentication from running when I've got LoginManager in place? Or is there reason to want both at once?
The real problem is that, at the end of the day, Zope is returning an HTTP 401 for this request, which is the only possible result (it is your browser who converts that into a dialog box) Tres. -- =============================================================== Tres Seaver tseaver@digicool.com Digital Creations "Zope Dealers" http://www.zope.org