[Zope-dev] Authentication Patch

[Anthony Baxter]

>>> Evan Simpson wrote
> I got tired of dealing with the weird mechanics cookie-based logins have
> to deal with, where standard_html_error and tracebacks intrude on login
> intercepts.  I came up with the following minor change, which works
> great for me, and might make GenericUserFolder's job easier, too.

> In ZPublisher/HTTPRequest.py (or SiteAccess/ChangeBehaviors.py, if you
minor glitchlet: it's in BaseRequest.py.

> use SiteAccess), change the lines:
> 
>             if user is None and roles != UNSPECIFIED_ROLES:
>                 response.unauthorized()
> to:
>             if user is None and roles != UNSPECIFIED_ROLES:
>                 object = response.unauthorized


> Under normal circumstances, this has no effect, since
> 'response.unauthorized' will be called as soon as it is returned and
> will raise its exception as usual.  Now however, we add a twist; When
> the cookie-based authenticator fails, it replaces
> 'response.unauthorized' with its 'login' document.  If no higher-level
> authentication succeeds, the 'login' document is rendered normally.
> Since 'response' is re-created with each request, this modification has
> no effect beyond the current request.

I'm trying to puzzle through the access control code - right now,
if a login validate method fails, they typically do something like 
       raise 'LoginRequired', self.docLogin(self, request)

should they just, in this case, return back None, and let the machinery
deal with it? Hm, in that case, wouldn't that then just recurse back through
the parent folders looking for additional access controls? So if you had
/a/acl_users and /a/b/acl_users, and both used something like the above, 
a request to /a/b/foo would get the /a/acl_users' docLogin page... ?

Anthony