[Zope3-dev] HTTPRequest object broken when not used w/zope.server

Shane Hathaway shane@zope.com
Wed, 25 Jun 2003 14:30:30 -0400 

Phillip J. Eby wrote:
> The 'setUser' method of HTTPRequest does this:
> 
> self.response._outstream.setAuthUserName(user.getId())
> 
> This is pretty bogus, since AFAIK there is no requirement that the user 
> object of a request should even have a 'getId()' method, and of course 
> the requirement that 'response._outstream' have a 'setAuthUserName()' 
> method doesn't work with CGI or FastCGI publishing (which until now I've 
> been able to do with Zope 3).

This is an interesting one.  The name "_outstream" is completely wrong. 
  setAuthUserName() is there for logging purposes: the common log format 
includes the authenticated user name, and since the application may use 
a variety of methods to determine the authenticated user name, the 
publisher has to say what user name to log.

I think the response should have two attributes rather than one: 
"outstream" and "http_transaction".  The outstream attribute should 
always exist.  The http_transaction attribute should point to an object 
that represents the HTTP transaction (currently called a "task" in 
zope.server) or None.  The two attributes might refer to the same 
object.  The above code should then look like this:

if self.response.http_transaction is not None:
     self.response.http_transaction.setAuthUserName(user.getId())

The other responsibility of an HTTP transaction object, if available, is 
to mix connection maintenance headers with content metadata headers. 
CGI servers implement both logging and header mixing independently of 
Zope, so in CGI mode you don't need an HTTP transaction object.  I'm 
pretty sure this is how I put it together originally, but the "task" 
terminology probably confused maintainers.

> Could the author of this code at least please move it into 'zope.app', 
> where the assumption that the publisher is running under 'zope.server' 
> might be more valid?  In other words, make this call in code that 
> *calls* request.setUser(), not in request.setUser() itself.  If I 
> understand the Zope 3 architecture correctly, this sort of policy-driven 
> behavior should be in the Publication object anyway.

Your idea is probably easier for now, but I feel like the expression 
"_outstream.setAuthUserName(name)" is a sign of trouble.  Streams are 
supposed to have only a few simple methods.

Shane