[Zope3-dev] Re: Default view weirdness.

Jim Fulton jim@zope.com
Thu, 06 Mar 2003 11:50:04 -0500 

Godefroid Chapelle wrote:
> Sidnei da Silva wrote:
> 
>> I would like to fix or get someone to fix the default browser view
>> weirdness.
>>
>> Let me explain the issue:
>>
>> If you fire up Zope3 and go to http://localhost:8080 you will end up
>> with a folder_contents view and only `introspector` in the
>> zmi_menu. For some non-folderish objects you will only get the
>> introspector view and the introspector tab. No other views or tabs
>> available from the UI.
>>
>> I noticed that when this happens, the UI shows you are logged in as
>> Unauthenticated User, so my guess is that when you are on these views,
>> Zope didnt issued a request for authorization, the browser didnt sent
>> the username, so you are not really authenticated, eg: request doesnt
>> have the authenticated user. But I may well be wrong. I hope the ones
>> that know better the ZCML may help on this, as it seems like a
>> misconfiguration somewere.
>>
>> []`s 
> 
> 
> Is there a reason there was no answer to this question ?
> I'd like to second Sidnei by stating this is something that should be 
> solved in a way or another ?

Sidnei told me on irc he had figured it out. :)

The same problem exists in Zope 2. The behavior also depends a bit
on your browser. If you go to a page that *can* be rendered for an
anonymous/unauthenticated user, and your browser doesn't present any
credentials, then your browser will not be challenged.

There are a number of strategies for avoiding this issue:

- Don't include tabbed-views that can be viewed by unauthenticated users.
   It's a bug that the introspector view is visable to anybody.

- Always start browsing with a page (e.g. /@@manage) that requires authentication.
   This works if your browser always presents credentials after being challenged
   once. Some (lame) browsers only send credentials when challenged.

   A separate log-in view would work well for this as well.

Jim

-- 
Jim Fulton           mailto:jim@zope.com       Python Powered!
CTO                  (888) 344-4332            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org