[ZPatterns] LoginManager auth type screwiness

John Eikenberry jae-zpat@kavi.com
Thu, 21 Jun 2001 13:48:24 -0700 

Fixed this by modifying the validate method on LoginManager. Just after the
user object is retrieved from the loginMethod and before the user existance
check (around line 242) I added this:

        if parents:
            for p in parents:
                if hasattr(p,'__roles__') and \
                        (len(p.__roles__) < len(roles)):
                    roles = p.__roles__
                    break 

This restricts the roles of the checked item to the most restrictive in the
traversal path. The len() test works because the applied permissions will
necessarily be a subset of those of its containing parents (you can't add
permissions further into containment, only take them away).

The more limited set of roles causes the failure of the anonymous user's
allowed test, causing it to pass through to the loginForm stuff.

The one hitch is that a folder's roles (__roles__) isn't adjusted unless
the access contents permission is restricted. But in practice, this
shouldn't be an issue.

I realized after the initial post that this might not have been the most
appropriate forum for my question. But having come up with a solution, I
felt it better to off-topic post once more than to leave a question w/o an
answer.


John Eikenberry wrote:

> Specs:
> 
> Zope 2.2.5
> LoginManager 8.8b1
> ZPatterns 4.3b2
> python 1.5.2
> 
> I've reproduced this on 2 zope setups. One using zclass based dataskins and
> one python based. 
> 
> How to reproduce: 
> 
> Setup a working LoginManger with CookieLogin and BasicAuth LoginMethods
> (in that order). Create a new role and a user with the role. Create a
> folder containing an index_html (with default content), create an empty
> sub-folder with view/access permissions limited to the role you created.
> 
> View that subfolder from a new browser... boom, a popup basic auth window.
> You can login with it, or cancel it and the unauth error is: 
> 
>     You are not authorized to access title_or_id.
> 
> Create a dtml method in the subfolder and view it... cookie auth loginForm
> is displayed.
> 
> What I'm shooting for is the cookie loginform to always be shown. 
> 
> Any tips?
> 
> Thanks in advance,
> 

-- 

John Eikenberry [jae@kavi.com]
______________________________________________________________
"A society that will trade a little liberty for a little order
 will deserve neither and lose both."
                                          --B. Franklin