[Zope] basic authorization triggered inside LoginManager context

Tres Seaver tseaver@digicool.com
Sun, 28 Jan 2001 18:23:00 -0500


Fred Yankowski <fred@ontosys.com> wrote:

> I've set up LoginManager with SQL and it's working OK, but I've run
> into a case where the browser pops up a basic/HTTP authentication
> request when I try to access a particular object inside the
> LoginManager-protected area.
> 
> I particular, I added the following line to the index_html DTML
> Document (at the same level as the LoginManager acl_users folder):
> 
>         <dtml-var "_.getattr('AUTHENTICATED_USER', '__class__')">

No can do, no how, no way:  attribute names beginning with "_" are
absolutely verbotten in through-the-web DTML.
 
> Without this line I can access the index_html file after logging in
> via the LoginManager scheme as a user with the 'Members' role.  But
> with this line I get the basic authorization popup and if I cancel
> that I can see the following exception in the "Zope Error" page:
> 
> ================
> Traceback (innermost last):
>   File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 222,
>   in publish_module
>   File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 187,
>   in publish
>   File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 171,
>   in publish
>   File D:\PROGRA~1\Zope225\lib\python\ZPublisher\mapply.py, line 160,
>   in mapply
>     (Object: index_html)
>   File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 112,
>   in call_object
>     (Object: index_html)
>   File D:\PROGRA~1\Zope225\lib\python\OFS\DTMLDocument.py, line 177,
>   in __call__
>     (Object: index_html)
>   File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_String.py,
>   line 528, in __call__
>     (Object: index_html)
>   File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_Util.py,
>   line 337, in eval
>     (Object: _.getattr('AUTHENTICATED_USER', '__class__'))
>     (Info: _)
>   File <string>, line 0, in ?
>   File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_Util.py,
>   line 144, in careful_getattr
> Unauthorized: __class__
> ================
> 
> So it looks like attempting to access the '__class__' attribute
> triggered this, but I don't understand why it lead to basic
> authentication.  If this required 'Manager' permissions, why didn't I
> just get some kind of "forbidden" response?

You are already authenticated in LM, but don't (can't, acutally) have
the role to do this operation (grep the Zope source for
'_what_not_even_god_should_do').  The LM can't authenticate you for what
you asked, so you bang out to Zope's default, which is to try basic auth.
In this case, it is particularly pointless, as there does not exist *any*
user who can execute your method.
 
> It looks like the careful_getattr() function will raise a
> ValidationError on any attempt to access a variable whose name starts
> with '_'.  Fine, maybe I was being naughty.  But I still don't
> understand why this wasn't handled using LoginManager.  How can I keep
> Basic/HTTP authentication from running when I've got LoginManager in
> place?  Or is there reason to want both at once?

The real problem is that, at the end of the day, Zope is returning
an HTTP 401 for this request, which is the only possible result (it
is your browser who converts that into a dialog box) 

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@digicool.com
Digital Creations     "Zope Dealers"       http://www.zope.org