Sidnei da Silva <sidnei <at> awkly.org> writes:
> In BaseRequest.traverse(), when invalid credentials are supplied, the > validation will return the special 'Anonymous User' and proceed. Later > in the game, if the 'current user' (in this case 'Anonymous User') is > not allowed to access something, an 'Unauthorized' exception is > raised. I was playing around with this when writing NTLMHTTPUserFolder. We had a very strange bug that I tracked down to being that at some point in the security code (can't quite remember where) if Anonymous *could* access something then the user was being reported as Anonymous User. Not the actual user. Even if they were authenticated. This resulted in REQUEST.AUTHENTICATED_USER being correct (the logged in user) but whatever code that writes the username at the top of a CMF/Plone site saying Anonymous User (can't remember which method this is offhand -- getCurrentUser or something like that). We also do something similar with dropping back to Anon. In our use case we are using NTLM authentication in an intranet, but some users may be coming from untrusted domains. We attempt to authenticate the user, but if the NTLM authentication from the DC fails, we accept the user anyway, return 200 and treat them as anonymous. But in general I also agree with Tres and this should not go in yet without more testing. If only 'cos it might break my wacky edge-case code ;) -Matt -- Matt Hamilton [EMAIL PROTECTED] Netsight Internet Solutions, Ltd. Business Vision on the Internet http://www.netsight.co.uk +44 (0)117 9090901 Web Design | Zope/Plone Development and Consulting | Co-location | Hosting _______________________________________________ Zope-Coders mailing list Zope-Coders@zope.org http://mail.zope.org/mailman/listinfo/zope-coders
