[Zope] basic authorization triggered inside LoginManager context

Fred Yankowski fred@ontosys.com
Sun, 28 Jan 2001 13:19:05 -0600 

I've set up LoginManager with SQL and it's working OK, but I've run
into a case where the browser pops up a basic/HTTP authentication
request when I try to access a particular object inside the
LoginManager-protected area.

I particular, I added the following line to the index_html DTML
Document (at the same level as the LoginManager acl_users folder):

	<dtml-var "_.getattr('AUTHENTICATED_USER', '__class__')">

Without this line I can access the index_html file after logging in
via the LoginManager scheme as a user with the 'Members' role.  But
with this line I get the basic authorization popup and if I cancel
that I can see the following exception in the "Zope Error" page:

================
Traceback (innermost last):
  File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 222,
  in publish_module
  File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 187,
  in publish
  File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 171,
  in publish
  File D:\PROGRA~1\Zope225\lib\python\ZPublisher\mapply.py, line 160,
  in mapply
    (Object: index_html)
  File D:\PROGRA~1\Zope225\lib\python\ZPublisher\Publish.py, line 112,
  in call_object
    (Object: index_html)
  File D:\PROGRA~1\Zope225\lib\python\OFS\DTMLDocument.py, line 177,
  in __call__
    (Object: index_html)
  File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_String.py,
  line 528, in __call__
    (Object: index_html)
  File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_Util.py,
  line 337, in eval
    (Object: _.getattr('AUTHENTICATED_USER', '__class__'))
    (Info: _)
  File <string>, line 0, in ?
  File D:\PROGRA~1\Zope225\lib\python\DocumentTemplate\DT_Util.py,
  line 144, in careful_getattr
Unauthorized: __class__
================

So it looks like attempting to access the '__class__' attribute
triggered this, but I don't understand why it lead to basic
authentication.  If this required 'Manager' permissions, why didn't I
just get some kind of "forbidden" response?

It looks like the careful_getattr() function will raise a
ValidationError on any attempt to access a variable whose name starts
with '_'.  Fine, maybe I was being naughty.  But I still don't
understand why this wasn't handled using LoginManager.  How can I keep
Basic/HTTP authentication from running when I've got LoginManager in
place?  Or is there reason to want both at once?

-- 
Fred Yankowski           fred@OntoSys.com      tel: +1.630.879.1312
Principal Consultant     www.OntoSys.com       fax: +1.630.879.1370
OntoSys, Inc             38W242 Deerpath Rd, Batavia, IL 60510, USA