[Zope-dev] Authentication Patch

Evan Simpson evan@4-am.com
Tue, 25 Jan 2000 21:52:19 -0600


From: Anthony Baxter <anthony@interlink.com.au>
> I'm trying to puzzle through the access control code - right now,
> if a login validate method fails, they typically do something like
>        raise 'LoginRequired', self.docLogin(self, request)
>
> should they just, in this case, return back None, and let the machinery
> deal with it?

After plugging self.docLogin into REQUEST, yes.

> Hm, in that case, wouldn't that then just recurse back through
> the parent folders looking for additional access controls?

Exactly :-)  This can allow authentication to succeed at a higher level,
while still giving you the nice inner Login page if it fails at all levels.

This isn't necessarily desirable in all cases, and you can't even *get* a
basic authentication dialog when there's an inner cookie-based acl_users
unless you define a method which explicitly throws 'LoginRequired'.  It's
still an improvement on the current default situation, though.

Cheers,

Evan @ 4-am