[Zope] PythonScripts bypasses LoginManager validation
Fred Yankowski
fred@ontosys.com
Tue, 6 Mar 2001 17:12:00 -0600
In Zope 2.3.1b1, it seems that PythonScripts can cause basic HTML
validation, even in the context of LoginManager.
My test situation is like this, in terms of Zope folders and objects:
test_folder/
acl_users (Login Manager)/
script1 (a Python Script)
restricted (a DTML Method)
'script1' calls 'restricted'. This works fine as Anonymous if
'restricted' has View permission for Anonymous.
But if I disable View permission for Anonymous on 'restricted' and
then access 'script1', I get a browser-generated Basic HTML
authorization dialog, rather than the LoginManager login window (which
works fine in other cases).
So, this is a bug in PythonScripts, right? Shouldn't it do
authentication and authorization using the controlling acl_users,
LoginManager in this case, rather than causing Basic Authorization to
occur?
It also looks to me like PythonScripts don't get the right
authorization when invoked by a Method that has a Proxy role set, but
that's an issue for another time...
--
Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312
Principal Consultant www.OntoSys.com fax: +1.630.879.1370
OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA