Re: [Zope-Coders] Wrong username and password == Anonymous User?
On Fri, Apr 22, 2005 at 09:11:28AM +0100, Chris Withers wrote: | Sidnei da Silva wrote: | | Well, my use-case is actually for WebDAV. So you won't just visit a | different part of the site at random. I'm currently trying to | understand if this would be a problem for WebDAV too. | | Nevertheless, since you're in the code alrady, can you add the big | comment explaining why it is like it is? | (or tell me a file and line number so I can do it) There's a patch attached to the first message of the thread. -- Sidnei da Silva [EMAIL PROTECTED] http://awkly.org - dreamcatching :: making your dreams come true http://www.enfoldsystems.com http://plone.org/about/team#dreamcatcher glyph So... glyph XML. *** Quits: dash:#twisted [EMAIL PROTECTED] (Read error: 113 (No route to host)) glyph Wow... just _saying_ it makes him disappear ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On 4/21/05, Chris Withers [EMAIL PROTECTED] wrote: If it's accessible by anonymous that is the same as not requiring authorization. I don't think that's the case. I have a specific requirement on the project I'm currently working on to know who the current user is, even if the something is anonymously accessible. So you *allow* authorization, and use it, but you don't *require* it. Perhaps userfolders should have the opportunity to do something as they're traversed through to authenticate, rather than waiting until something that requires authorisation kicks them off? Sounds reasonable. Nope, not IE. Yes, that is non-standard. Are you sure? I'm pretty sure I remember the ZMI's logout link working in IE, and that relies on returning 401's... Last time I checked it didn't work. But they do that so that if you click on something that you can NOT access, you can continue surfing without having to log in again. Which actually is pretty reasonable in a way. ...not if they don't also provide a method to consciously drop basic auth headers ;-) Yet Another Crappy Standard. Well, I have to say I was really disappointed when I read the W3C specs for response codes. They freely interchange authentication and authorization, which are two totally different concepts :-( Right. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On 4/20/05, Sidnei da Silva [EMAIL PROTECTED] wrote: Supposedly you would not be able to access that part of the site until you authenticate against it. Isn't that the case now? Assuming it requires authentication, yes. The main problem here is that Internet Explorer doesn't allow you to log out, for example. So, in principal, invalid credentials should raise an error, but in practice, you can't do that if you use Simple HTTP authentication. With other authentication schemes, where you can log out properly, it's would be possible. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
Lennart Regebro wrote: Supposedly you would not be able to access that part of the site until you authenticate against it. Isn't that the case now? Assuming it requires authentication, yes. And if it doesn't require authentication? Also, what determines whether it requires authentication? authorisation requirements or something else? The main problem here is that Internet Explorer doesn't allow you to log out, for example. I thought returning enough 401's usually prompts any browser to drop its basic auth? So, in principal, invalid credentials should raise an error, but in practice, you can't do that if you use Simple HTTP authentication. Why not? Surely they should just get a 403 response? cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
On Wed, Apr 20, 2005 at 06:22:10PM +0200, Lennart Regebro wrote: On 4/20/05, Chris Withers [EMAIL PROTECTED] wrote: Lennart Regebro wrote: Supposedly you would not be able to access that part of the site until you authenticate against it. Isn't that the case now? Assuming it requires authentication, yes. And if it doesn't require authentication? It would fail, since you supplied incorrect authentication. That's pretty counter-intuitive. You are logged in, and click on a part of the site where you should not need authentication, and you get authentication errors. ;) That's what I was trying to tease out but I couldn't put my finger on it late last night. Thanks Lennart. -- Paul Winkler http://www.slinkp.com ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
Re: [Zope-Coders] Wrong username and password == Anonymous User?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 20 Apr 2005 12:09 pm, Sidnei da Silva wrote: - If you want to access a anonymous page, you will *not* be sending auth credentials. Why do you say that? Cooke auth doesn't distinguish between anonymous pages and pages that require a user, so the cookie will be sent for every request. IIRC, this is also how Basic Auth works, once your browser knows you've got valid credentials for a site. Richard -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCZcCyrGisBEHG6TARAvRoAJ4sWIc5jy9gmMmOR5dgfg8EVj4msACeIM80 fpLGmzjaZ7aJ8wG7uD0pH8g= =aSFF -END PGP SIGNATURE- ___ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders