[Zope] PythonScripts bypasses LoginManager validation

Fred Yankowski fred@ontosys.com
Tue, 6 Mar 2001 17:12:00 -0600


In Zope 2.3.1b1, it seems that PythonScripts can cause basic HTML
validation, even in the context of LoginManager.

My test situation is like this, in terms of Zope folders and objects:

  test_folder/
    acl_users (Login Manager)/
    script1 (a Python Script)
    restricted (a DTML Method)

'script1' calls 'restricted'.  This works fine as Anonymous if
'restricted' has View permission for Anonymous.

But if I disable View permission for Anonymous on 'restricted' and
then access 'script1', I get a browser-generated Basic HTML
authorization dialog, rather than the LoginManager login window (which
works fine in other cases).

So, this is a bug in PythonScripts, right?  Shouldn't it do
authentication and authorization using the controlling acl_users,
LoginManager in this case, rather than causing Basic Authorization to
occur?

It also looks to me like PythonScripts don't get the right
authorization when invoked by a Method that has a Proxy role set, but
that's an issue for another time...

-- 
Fred Yankowski           fred@OntoSys.com      tel: +1.630.879.1312
Principal Consultant     www.OntoSys.com       fax: +1.630.879.1370
OntoSys, Inc             38W242 Deerpath Rd, Batavia, IL 60510, USA