[Zope-dev] User not in User Folder problem solved! :-)

Chris Withers chrisw@nipltd.com
Tue, 11 Jul 2000 18:35:08 +0100 

This is a multi-part message in MIME format.
--------------C3A9A22C81A90D14E803A259
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Brian Lloyd wrote:
> > >    That's a problem. Root index_html is viewable by
> > Anonymous user - Zope
> > > should not complain about wrong (not in acl_users) login/password.
> >
> > It seems Zope doesn't like being presented with Authentication
> > information it knows nothing about. A more graceful way of
> > dealing with
> > this would be to say 'I don't know who you are, so I'm going to treat
> > you as anonymous' rather than 'I don't know who you are, so
> > f- off' ;-)

> The old (broken) behavoir was that if credentials were sent,
> then an unauthorized was raised if a matching user could not
> be found to match those credentials.
> 
> The new behavior is that if credentials are sent *and* no
> matching user is found *and* the resource being requested
> is accessible by Anonymous then the Anonymous user is used.

This is great and works as expected. I've converted it into a patch for
2.1.6 which is attached, in case anyone wants it.

I've also CC'ed in Ty Sarna since LoginManager, GUF and several other
things have (recently ;-) changed to support the broken logic, so they
probably need to change back now... :-S

Many thanks for fixing this, my day is getting better at last :-)

cheers,

Chris

PS: 
From User.py:

 PermissionRole import _what_not_even_god_should_do

what is that all about?! ;-)
--------------C3A9A22C81A90D14E803A259
Content-Type: text/plain; charset=us-ascii;
 name="User.py.patch2"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="User.py.patch2"

--- User.py.old2	Tue Jul 11 18:13:50 2000
+++ User.py	Tue Jul 11 18:17:13 2000
@@ -445,10 +445,16 @@
         # Try to get user
         user=self.getUser(name)
         if user is None:
+            if self._isTop() and self._nobody.allowed(parent, roles):
+                user=self._nobody.__of__(self)
+                return user
             return None
 
         # Try to authenticate user
         if not user.authenticate(password, request):
+            if self._isTop() and self._nobody.allowed(parent,roles):
+                user=self._nobody.__of__(self)
+                return user
             return None
 
         # We need the user to be able to acquire!

--------------C3A9A22C81A90D14E803A259--