[Zope-dev] Re: [Zope] GenericUserFolder authenticates but Zope rejects

[Stuart 'Zen' Bishop]

[Redirected to zope-dev]

On Wed, 1 Dec 1999, Sam Gendler wrote:

> I bumped into something like this with UserDB.  If you access an object that
> requires authentication directly (go to its url), the appropriate acl_users folder
> gets used (in my case, UserDB).  However, if I attempted to access an object that
> requires no authentication, but which calls methods that are restricted, Zope
> seemd to only want to use the acl_users folder in the root directory of the zope
> install, or else superuser was the only user that worked, I can't remember which
> way it worked.  At any rate, if you make the containing object require
> authentication, everything should work again.

I tracked down at least one case where this sort of thing happened and
worked around it. The cases I came across where mainly accessing a
document when you were not already authenticated.

The first example is a document that returns a different result if
it is called via GET or called via POST.

The second example is the manage method - as far as I managed to
track it down, if I modified the RESPONSE during authentication
(ie. RESPONSE.setCookie('_gufauth',blah)), then the manage method would
return a document which tried to populate its frames with manage_main
and manage_menu from the root folder. I still don't know if this is a bug or 
a feature, so it isn't in the collector. I'm leaning towards a bug in Zope
but it is rather obscure and hard to describe in words or demonstrate
without 3rd party code.

Both the cases I found have been solved using double indirection
(your POST calls docLoginSuccess, which can do nifty stuff or just
REDIRECT to the real location).

-- 
 ___
   //     Zen (alias Stuart Bishop)     Work: zen@cs.rmit.edu.au
  // E N  Senior Systems Alchemist      Play: zen@shangri-la.dropbear.id.au
 //__     Computer Science, RMIT 	 WWW: http://www.cs.rmit.edu.au/~zen