[Zope-dev] Problems with LoginManager form-based login

[Phillip J. Eby]

At 01:47 PM 5/24/00 +0300, Itamar Shtull-Trauring wrote:
>I add a folder, with a LoginManager in it, define Cookie Auth as only
>authntication.  Now, every time I try to view the folder I get the loginForm
>asking me to login, even though Anonymous has permissions to view the
>pages.  If I delete the loginForm this doesn't happen, I can view the page
>with no problems.
>
>How do I get the loginForm to appear only if the user doesn't have enough
>permissions?
>

Make your root acl_users a LoginManager, with the loginForm there.
LoginManager will only allow "Anonymous" to log in if it is the root
acl_users.  This is how standard user folders behave, and *have to* because
of the way manage_workspace works, unfortunately.  Until/unless a new login
protocol is worked out in Zope, this is the workaround.

(Details of the problem: manage_workspace is set up only to require the
"Anonymous" role, but then it checks whatever user is logged in for
permissions to display management tabs.  If LoginManager were to allow
Anonymous access just because the URL being hit allowed Anonymous access,
manage_workspace would deny access to the page.  Worse, it would deny it by
popping up a basic authentication dialog.  We know this because an early
version of LoginManager seemed bizarrely broken until we dug through enough
Zope code to find out what was going on, and changed LoginManager to do
what user folders do: only log in the anonymous user if you're the root
acl_users folder.)