AW: [Zope3-Users] Disabling authentication for resources

andrew andrew at reurbanise.co.nz
Thu Jul 10 00:47:35 EDT 2008


On Thu, 2008-07-10 at 02:44 +0200, Roger Ineichen wrote:
> I guess bypass the authentication process is not supported for
> zope.Public protected objects.
>  
> Zope does authenticate the user. And later it checks security
> for the object based on that user (authorization).
> 
> zope.Public is correct for public access, but it doesn't mean 
> the user get not authenticated. Remember authentication and
> authorization are two different things.
> 
> I'm not really sure. But I guess without authentication, 
> Zope doesn't know if even zope.Public is allowed for this 
> user because you can deny permissions. But I'm also not sure
> without to introspect the code if zope.Public can set as deny.
> 
> Hope that gives some hints for deep into the internals
> of IAuthentication. If you need a simpler implementation,
> take a look at z3c.authenticator.

That's great, thanks Roger. That's a good point that authentication and
authorization are different things. So, it would seem that there's no
easy way to avoid the authentication process altogether, so I'll just
hope that the overhead is not too great :-)

Cheers, Andrew.  



More information about the Zope3-users mailing list