[Zope] basic authorization triggered inside LoginManager context
Fred Yankowski
fred@ontosys.com
Sun, 28 Jan 2001 13:19:05 -0600
I've set up LoginManager with SQL and it's working OK, but I've run
into a case where the browser pops up a basic/HTTP authentication
request when I try to access a particular object inside the
LoginManager-protected area.
I particular, I added the following line to the index_html DTML
Document (at the same level as the LoginManager acl_users folder):
<dtml-var "_.getattr('AUTHENTICATED_USER', '__class__')">
Without this line I can access the index_html file after logging in
via the LoginManager scheme as a user with the 'Members' role. But
with this line I get the basic authorization popup and if I cancel
that I can see the following exception in the "Zope Error" page:
================
Traceback (innermost last):
File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 222,
in publish_module
File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 187,
in publish
File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 171,
in publish
File D:\PROGRA~1\Zope225\lib\python\ZPublisher\mapply.py, line 160,
in mapply
(Object: index_html)
File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 112,
in call_object
(Object: index_html)
File D:\PROGRA~1\Zope225\lib\python\OFS\DTMLDocument.py, line 177,
in __call__
(Object: index_html)
File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_String.py,
line 528, in __call__
(Object: index_html)
File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_Util.py,
line 337, in eval
(Object: _.getattr('AUTHENTICATED_USER', '__class__'))
(Info: _)
File <string>, line 0, in ?
File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_Util.py,
line 144, in careful_getattr
Unauthorized: __class__
================
So it looks like attempting to access the '__class__' attribute
triggered this, but I don't understand why it lead to basic
authentication. If this required 'Manager' permissions, why didn't I
just get some kind of "forbidden" response?
It looks like the careful_getattr() function will raise a
ValidationError on any attempt to access a variable whose name starts
with '_'. Fine, maybe I was being naughty. But I still don't
understand why this wasn't handled using LoginManager. How can I keep
Basic/HTTP authentication from running when I've got LoginManager in
place? Or is there reason to want both at once?
--
Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312
Principal Consultant www.OntoSys.com fax: +1.630.879.1370
OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA