[Zope-PAS] SVN: Products.PluggableAuthService/trunk/Products/PluggableAuthService/ Changed HTTPBasicAuthHelper to not rely on two obscure features of the HTTPResponse.

Tres Seaver tseaver at palladion.com
Mon May 11 22:58:18 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hanno Schlichting wrote:
> Log message for revision 99858:
>   Changed HTTPBasicAuthHelper to not rely on two obscure features of the HTTPResponse.
>   
> 
> Changed:
>   U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/doc/HISTORY.txt
>   U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/HTTPBasicAuthHelper.py
>   U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_HTTPBasicAuthHelper.py
> 
> -=-
> Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/doc/HISTORY.txt
> ===================================================================
> --- Products.PluggableAuthService/trunk/Products/PluggableAuthService/doc/HISTORY.txt	2009-05-11 21:38:04 UTC (rev 99857)
> +++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/doc/HISTORY.txt	2009-05-12 00:57:46 UTC (rev 99858)
> @@ -1,6 +1,8 @@
>  PluggableAuthService historic changes
>  =====================================
>  
> +- Changed HTTPBasicAuthHelper to not rely on two obscure features of the
> +  HTTPResponse.
>  
>  PluggableAuthService 1.4 (2006-08-28)
>  -------------------------------------
> 
> Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/HTTPBasicAuthHelper.py
> ===================================================================
> --- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/HTTPBasicAuthHelper.py	2009-05-11 21:38:04 UTC (rev 99857)
> +++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/HTTPBasicAuthHelper.py	2009-05-12 00:57:46 UTC (rev 99858)
> @@ -17,8 +17,6 @@
>  $Id$
>  """
>  
> -from zExceptions import Unauthorized
> -
>  from AccessControl.SecurityInfo import ClassSecurityInfo
>  from App.class_init import default__class_init__ as InitializeClass
>  
> @@ -99,15 +97,9 @@
>          """
>          realm = response.realm
>          if realm:
> -            response.addHeader('WWW-Authenticate',
> +            response.setHeader('WWW-Authenticate',
>                                 'basic realm="%s"' % realm)
>          m = "<strong>You are not authorized to access this resource.</strong>"
> -        if response.debug_mode:
> -            if response._auth:
> -                m = m + '<p>\nUsername and password are not correct.'
> -            else:
> -                m = m + '<p>\nNo Authorization header found.'
> -
>          response.setBody(m, is_error=1)
>          response.setStatus(401)
>          return 1
> 
> Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_HTTPBasicAuthHelper.py
> ===================================================================
> --- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_HTTPBasicAuthHelper.py	2009-05-11 21:38:04 UTC (rev 99857)
> +++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/tests/test_HTTPBasicAuthHelper.py	2009-05-12 00:57:46 UTC (rev 99858)
> @@ -43,7 +43,6 @@
>  
>      _unauthorized_called = 0
>      realm = 'unit test'
> -    debug_mode = 0
>      headers = {}
>  
>      def unauthorized( self ):
> @@ -58,10 +57,6 @@
>  
>          self.headers[name] = value
>  
> -    def addHeader(self, name, value):
> -
> -        self.headers[name] = value
> -
>      def setBody(self, body, is_error=0):
>          self.body = body
>  
> @@ -100,8 +95,6 @@
>                              'remote_host': '', 'remote_address': '' } )
>  
>      def test_challenge( self ):
> -        from zExceptions import Unauthorized
> -
>          helper = self._makeOne()
>          request = FauxHTTPRequest()
>          response = FauxHTTPResponse()

Hanno, do you know *why* that feature was used?  HTTP allows *multiple*
challenges to be issued for a single request (e.g., one digest, one
basic, or two basic challenges with different realms).  Your change
makes it only possible to send one (the last one).


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKCOXK+gerLs4ltQ4RAukcAJ9Igt7+3N9tOrW0pWfkPaZMFAHGTACfaVj0
q1/GxwCJx2T/DGcE/Kf4s6w=
=TI1O
-----END PGP SIGNATURE-----

More information about the Zope-PAS mailing list