Mailing List Archive: Wrong username and password == Anonymous User?

Wrong username and password == Anonymous User?

sidnei at awkly

Apr 19, 2005, 7:09 PM

Post #1 of 20 (6902 views)

So, here's a tricky one.

In BaseRequest.traverse(), when invalid credentials are supplied, the
validation will return the special 'Anonymous User' and proceed. Later
in the game, if the 'current user' (in this case 'Anonymous User') is
not allowed to access something, an 'Unauthorized' exception is
raised.

Mark Hammond has been arguing me for hours now, and has convinced me
that this is wrong. Why?

- If you want to access a anonymous page, you will *not* be sending
auth credentials.

- If you *are* supplying credentials, they must either be *valid* or
*invalid*. Falling back to 'Anonymous User' just hides the fact that
you have provided wrong credentials.

- Falling back to 'Anonymous User' will eventually fail down the path,
unless, by luck, everything you need to access in that request is
accessible to the 'Anonymous User'. It might fail quite deep inside
Zope, thus possibly masking the real issue.

- Anyone sending wrong credentials and *expecting* that Zope will
fallback to 'Anonymous User' knows and is actively abusing
ZPublisher internals.

- Falling back to 'Anonymous User' and proceeding might also consume
more resources than it really should in this case.

In any case, if someone is depending on this behaviour, he has a
broken application that must be fixed.

The patch (attached) is very short and simple, and I can't think of a
single reasonable, sane case that would break with this change.

If no-one has a real reason for not checkin this in, I would like to
make the change in Zope 2.7 and trunk as IMO it's a bug.

--
Sidnei da Silva <sidnei@awkly.org>
http://awkly.org - dreamcatching :: making your dreams come true
http://www.enfoldsystems.com
http://plone.org/about/team#dreamcatcher

<glyph> we need PB for C#
* moshez squishes glyph
<moshez> glyph: squishy insane person

Re: Wrong username and password == Anonymous User? [ In reply to ]

richard at commonground

Apr 19, 2005, 7:38 PM

Post #2 of 20 (6821 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 20 Apr 2005 12:09 pm, Sidnei da Silva wrote:
> - If you want to access a anonymous page, you will *not* be sending
> auth credentials.

Why do you say that? Cooke auth doesn't distinguish between anonymous pages
and pages that require a user, so the cookie will be sent for every request.
IIRC, this is also how Basic Auth works, once your browser knows you've got
valid credentials for a site.

Richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCZcCyrGisBEHG6TARAvRoAJ4sWIc5jy9gmMmOR5dgfg8EVj4msACeIM80
fpLGmzjaZ7aJ8wG7uD0pH8g=
=aSFF
-----END PGP SIGNATURE-----
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

sidnei at awkly

Apr 19, 2005, 7:53 PM

Post #3 of 20 (6792 views)

On Wed, Apr 20, 2005 at 12:38:42PM +1000, Richard Jones wrote:
| On Wed, 20 Apr 2005 12:09 pm, Sidnei da Silva wrote:
| > - If you want to access a anonymous page, you will *not* be sending
| > auth credentials.
|
| Why do you say that? Cooke auth doesn't distinguish between anonymous pages
| and pages that require a user, so the cookie will be sent for every request.
| IIRC, this is also how Basic Auth works, once your browser knows you've got
| valid credentials for a site.

That is totally fine. As long as the credentials are valid. If they
are invalid you should be promptly requested to provide valid
credentials no?

Again:

- Not sending credentials is fine for anonymous pages
- Sending valid credentials is fine for all pages
- Sending invalid credentials should fail as early as possible.

--
Sidnei da Silva <sidnei@awkly.org>
http://awkly.org - dreamcatching :: making your dreams come true
http://www.enfoldsystems.com
http://plone.org/about/team#dreamcatcher

All the existing 2.0.x kernels are to buggy for 2.1.x to be the
main goal.
-- Alan Cox
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

pw_lists at slinkp

Apr 19, 2005, 8:06 PM

Post #4 of 20 (6796 views)

On Tue, Apr 19, 2005 at 11:53:33PM -0300, Sidnei da Silva wrote:
> On Wed, Apr 20, 2005 at 12:38:42PM +1000, Richard Jones wrote:
> | On Wed, 20 Apr 2005 12:09 pm, Sidnei da Silva wrote:
> | > - If you want to access a anonymous page, you will *not* be sending
> | > auth credentials.
> |
> | Why do you say that? Cooke auth doesn't distinguish between anonymous pages
> | and pages that require a user, so the cookie will be sent for every request.
> | IIRC, this is also how Basic Auth works, once your browser knows you've got
> | valid credentials for a site.
>
> That is totally fine. As long as the credentials are valid. If they
> are invalid you should be promptly requested to provide valid
> credentials no?
>
> Again:
>
> - Not sending credentials is fine for anonymous pages
> - Sending valid credentials is fine for all pages
> - Sending invalid credentials should fail as early as possible.

What should happen if your credentials are valid in one part of the site
and invalid in another part?

--

Paul Winkler
http://www.slinkp.com
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

sidnei at awkly

Apr 19, 2005, 8:20 PM

Post #5 of 20 (6785 views)

On Tue, Apr 19, 2005 at 11:06:05PM -0400, Paul Winkler wrote:
| > Again:
| >
| > - Not sending credentials is fine for anonymous pages
| > - Sending valid credentials is fine for all pages
| > - Sending invalid credentials should fail as early as possible.
|
| What should happen if your credentials are valid in one part of the site
| and invalid in another part?

Supposedly you would not be able to access that part of the site until
you authenticate against it. Isn't that the case now?

--
Sidnei da Silva <sidnei@awkly.org>
http://awkly.org - dreamcatching :: making your dreams come true
http://www.enfoldsystems.com
http://plone.org/about/team#dreamcatcher

Firme que nem prego em polenta.
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

tseaver at zope

Apr 19, 2005, 9:01 PM

Post #6 of 20 (6809 views)

Sidnei da Silva wrote:
> So, here's a tricky one.
>
> In BaseRequest.traverse(), when invalid credentials are supplied, the
> validation will return the special 'Anonymous User' and proceed. Later
> in the game, if the 'current user' (in this case 'Anonymous User') is
> not allowed to access something, an 'Unauthorized' exception is
> raised.
>
> Mark Hammond has been arguing me for hours now, and has convinced me
> that this is wrong. Why?
>
> - If you want to access a anonymous page, you will *not* be sending
> auth credentials.
>
> - If you *are* supplying credentials, they must either be *valid* or
> *invalid*. Falling back to 'Anonymous User' just hides the fact that
> you have provided wrong credentials.
>
> - Falling back to 'Anonymous User' will eventually fail down the path,
> unless, by luck, everything you need to access in that request is
> accessible to the 'Anonymous User'. It might fail quite deep inside
> Zope, thus possibly masking the real issue.
>
> - Anyone sending wrong credentials and *expecting* that Zope will
> fallback to 'Anonymous User' knows and is actively abusing
> ZPublisher internals.
>
> - Falling back to 'Anonymous User' and proceeding might also consume
> more resources than it really should in this case.
>
> In any case, if someone is depending on this behaviour, he has a
> broken application that must be fixed.
>
> The patch (attached) is very short and simple, and I can't think of a
> single reasonable, sane case that would break with this change.
>
> If no-one has a real reason for not checkin this in, I would like to
> make the change in Zope 2.7 and trunk as IMO it's a bug.

-1 without extensive testing on a branch, especially including heavy
testing of basic-auth-only scenarios.

Tinkering with the machinery here after a couple of hours
head-scratching ignores the fact that the machinery *works* in the teeth
of all the weird behavior built into to pavane which is
stateless-but-faking-it basic authentication.

Tres.
--
===============================================================
Tres Seaver tseaver@zope.com
Zope Corporation "Zope Dealers" http://www.zope.com

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

regebro at gmail

Apr 20, 2005, 3:45 AM

Post #7 of 20 (6787 views)

On 4/20/05, Sidnei da Silva <sidnei@awkly.org> wrote:
> Supposedly you would not be able to access that part of the site until
> you authenticate against it. Isn't that the case now?

Assuming it requires authentication, yes.
The main problem here is that Internet Explorer doesn't allow you to
log out, for example.

So, in principal, invalid credentials should raise an error, but in
practice, you can't do that if you use Simple HTTP authentication.
With other authentication schemes, where you can log out properly,
it's would be possible.

--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

chris at simplistix

Apr 20, 2005, 6:01 AM

Post #8 of 20 (6825 views)

Lennart Regebro wrote:
>>Supposedly you would not be able to access that part of the site until
>>you authenticate against it. Isn't that the case now?
>
> Assuming it requires authentication, yes.

And if it doesn't require authentication?
Also, what determines whether it requires authentication? authorisation
requirements or something else?

> The main problem here is that Internet Explorer doesn't allow you to
> log out, for example.

I thought returning enough 401's usually prompts any browser to drop its
basic auth?

> So, in principal, invalid credentials should raise an error, but in
> practice, you can't do that if you use Simple HTTP authentication.

Why not? Surely they should just get a 403 response?

cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Re: Wrong username and password == Anonymous User? [ In reply to ]

chris at simplistix

Apr 20, 2005, 6:01 AM

Post #9 of 20 (6798 views)

Tres Seaver wrote:
> -1 without extensive testing on a branch, especially including heavy
> testing of basic-auth-only scenarios.
>
> Tinkering with the machinery here after a couple of hours
> head-scratching ignores the fact that the machinery *works* in the teeth
> of all the weird behavior built into to pavane which is
> stateless-but-faking-it basic authentication.

I find myself strongly agreeing with Tres again, should I find this
disturbing? ;-)

Chris

--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

regebro at gmail

Apr 20, 2005, 9:22 AM

Post #10 of 20 (6820 views)

On 4/20/05, Chris Withers <chris@simplistix.co.uk> wrote:
> Lennart Regebro wrote:
> >>Supposedly you would not be able to access that part of the site until
> >>you authenticate against it. Isn't that the case now?
> >
> > Assuming it requires authentication, yes.
>
> And if it doesn't require authentication?

It would fail, since you supplied incorrect authentication. That's
pretty counter-intuitive. You are logged in, and click on a part of
the site where you should not need authentication, and you get
authentication errors. ;)

> Also, what determines whether it requires authentication? authorisation
> requirements or something else?

If it's accessible by anonymous that is the same as not requiring authorization.

> > The main problem here is that Internet Explorer doesn't allow you to
> > log out, for example.
>
> I thought returning enough 401's usually prompts any browser to drop its
> basic auth?

Nope, not IE. Yes, that is non-standard. But they do that so that if
you click on something that you can NOT access, you can continue
surfing without having to log in again. Which actually is pretty
reasonable in a way.

> > So, in principal, invalid credentials should raise an error, but in
> > practice, you can't do that if you use Simple HTTP authentication.
>
> Why not? Surely they should just get a 403 response?

403 Forbidden: The server understood the request, but is refusing to
fulfill it. Authorization will not help and the request SHOULD NOT be
repeated. If the request method was not HEAD and the server wishes to
make public why the request has not been fulfilled, it SHOULD describe
the reason for the refusal in the entity. If the server does not wish
to make this information available to the client, the status code 404
(Not Found) can be used instead.

I fail to see how this is a reasonable resonse when you request a page
that is public just because your credentials are invalid in that
location. It's a bit like refusing people into a public park because
they have a security badge on their shirt. ;)

--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

pw_lists at slinkp

Apr 20, 2005, 9:45 AM

Post #11 of 20 (6798 views)

On Wed, Apr 20, 2005 at 06:22:10PM +0200, Lennart Regebro wrote:
> On 4/20/05, Chris Withers <chris@simplistix.co.uk> wrote:
> > Lennart Regebro wrote:
> > >>Supposedly you would not be able to access that part of the site until
> > >>you authenticate against it. Isn't that the case now?
> > >
> > > Assuming it requires authentication, yes.
> >
> > And if it doesn't require authentication?
>
> It would fail, since you supplied incorrect authentication. That's
> pretty counter-intuitive. You are logged in, and click on a part of
> the site where you should not need authentication, and you get
> authentication errors. ;)

That's what I was trying to tease out but I couldn't put my finger
on it late last night. Thanks Lennart.
--

Paul Winkler
http://www.slinkp.com
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

matth at netsight

Apr 21, 2005, 2:29 AM

Post #12 of 20 (6817 views)

Sidnei da Silva <sidnei <at> awkly.org> writes:

> In BaseRequest.traverse(), when invalid credentials are supplied, the
> validation will return the special 'Anonymous User' and proceed. Later
> in the game, if the 'current user' (in this case 'Anonymous User') is
> not allowed to access something, an 'Unauthorized' exception is
> raised.

I was playing around with this when writing NTLMHTTPUserFolder. We had a very
strange bug that I tracked down to being that at some point in the security
code (can't quite remember where) if Anonymous *could* access something then
the user was being reported as Anonymous User. Not the actual user. Even if
they were authenticated. This resulted in REQUEST.AUTHENTICATED_USER being
correct (the logged in user) but whatever code that writes the username at the
top of a CMF/Plone site saying Anonymous User (can't remember which method
this is offhand -- getCurrentUser or something like that).

We also do something similar with dropping back to Anon. In our use case we
are using NTLM authentication in an intranet, but some users may be coming
from untrusted domains. We attempt to authenticate the user, but if the NTLM
authentication from the DC fails, we accept the user anyway, return 200 and
treat them as anonymous.

But in general I also agree with Tres and this should not go in yet without
more testing. If only 'cos it might break my wacky edge-case code ;)

-Matt

--
Matt Hamilton matth@netsight.co.uk
Netsight Internet Solutions, Ltd. Business Vision on the Internet
http://www.netsight.co.uk +44 (0)117 9090901
Web Design | Zope/Plone Development and Consulting | Co-location | Hosting

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

chris at simplistix

Apr 21, 2005, 5:11 AM

Post #13 of 20 (6811 views)

Lennart Regebro wrote:
>>>>Supposedly you would not be able to access that part of the site until
>>>>you authenticate against it. Isn't that the case now?
>>>
>>>Assuming it requires authentication, yes.
>>
>>And if it doesn't require authentication?
>
> It would fail, since you supplied incorrect authentication. That's
> pretty counter-intuitive. You are logged in, and click on a part of
> the site where you should not need authentication, and you get
> authentication errors. ;)

Indeed. So, this explains the reason why incorrect auth credentials
result in an anoymous user rather than an auth failure. Read that way, I
think it should stay that way, unless anyone can suggest anything better.
However, it might help if whoever's "in" this code currently adds a big
comment explaining the reasoning. Sidnei?

>>Also, what determines whether it requires authentication? authorisation
>>requirements or something else?
>
> If it's accessible by anonymous that is the same as not requiring authorization.

I don't think that's the case. I have a specific requirement on the
project I'm currently working on to know who the current user is, even
if the something is anonymously accessible.

Perhaps userfolders should have the opportunity to do something as
they're traversed through to authenticate, rather than waiting until
something that requires authorisation kicks them off?

>>>The main problem here is that Internet Explorer doesn't allow you to
>>>log out, for example.
>>
>>I thought returning enough 401's usually prompts any browser to drop its
>>basic auth?
>
> Nope, not IE. Yes, that is non-standard.

Are you sure? I'm pretty sure I remember the ZMI's "logout" link working
in IE, and that relies on returning 401's...

> But they do that so that if
> you click on something that you can NOT access, you can continue
> surfing without having to log in again. Which actually is pretty
> reasonable in a way.

...not if they don't also provide a method to consciously drop basic
auth headers ;-)

> 403 Forbidden: The server understood the request, but is refusing to
> fulfill it. Authorization will not help and the request SHOULD NOT be
> repeated. If the request method was not HEAD and the server wishes to
> make public why the request has not been fulfilled, it SHOULD describe
> the reason for the refusal in the entity. If the server does not wish
> to make this information available to the client, the status code 404
> (Not Found) can be used instead.
>
> I fail to see how this is a reasonable resonse when you request a page
> that is public just because your credentials are invalid in that
> location. It's a bit like refusing people into a public park because
> they have a security badge on their shirt. ;)

Well, I have to say I was really disappointed when I read the W3C specs
for response codes. They freely interchange authentication and
authorization, which are two totally different concepts :-(

However, yes, I agree your use case is important, particularly for Zope
with it's devolved idea of user management, and so am now against the
change Sidnei was suggesting...

cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Re: Wrong username and password == Anonymous User? [ In reply to ]

chris at simplistix

Apr 21, 2005, 5:19 AM

Post #14 of 20 (6833 views)

Matt Hamilton wrote:

>>In BaseRequest.traverse(), when invalid credentials are supplied, the
>>validation will return the special 'Anonymous User' and proceed. Later
>>in the game, if the 'current user' (in this case 'Anonymous User') is
>>not allowed to access something, an 'Unauthorized' exception is
>>raised.

Yeah, how this exception is handled is something I'd like to see made
more officially pluggable and the responsibility of the user folder.
In many cases, it makes much more sense to just return a 403 when this
happens, rather than popping up a basic auth box inviting the user to
bang their head against a brick wall trying the same username/password
they did before...

> I was playing around with this when writing NTLMHTTPUserFolder. We had a very
> strange bug that I tracked down to being that at some point in the security
> code (can't quite remember where) if Anonymous *could* access something then
> the user was being reported as Anonymous User. Not the actual user. Even if
> they were authenticated. This resulted in REQUEST.AUTHENTICATED_USER being
> correct (the logged in user) but whatever code that writes the username at the
> top of a CMF/Plone site saying Anonymous User (can't remember which method
> this is offhand -- getCurrentUser or something like that).

From what you describe, sounds like getSecurityManager().getUser() was
returning something different to REQUEST.AUTHENTICATED_USER. The way you
describe it makes it sound like getUser() had a bug, but then again, you
could be observing side effects of the fact that
REQUEST.AUTHENTICATED_USER was deprecated several years ago ;-)

> We also do something similar with dropping back to Anon.

Except you don't, as I understand it. You drop back to a user called
"Unauthenticated User" which has the same roles as an authenticated
user, which I personally find horrible ;-)

I'd much prefer to see the intranet in question be anonymously
accessible, as it should be, with authentication happening if the
credentials are there, rather than if authentication is required.

__bobo_travese__ anyone?

cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

regebro at gmail

Apr 21, 2005, 5:23 AM

Post #15 of 20 (6781 views)

On 4/21/05, Chris Withers <chris@simplistix.co.uk> wrote:
> > If it's accessible by anonymous that is the same as not requiring
> > authorization.
>
> I don't think that's the case. I have a specific requirement on the
> project I'm currently working on to know who the current user is, even
> if the something is anonymously accessible.

So you *allow* authorization, and use it, but you don't *require* it.

> Perhaps userfolders should have the opportunity to do something as
> they're traversed through to authenticate, rather than waiting until
> something that requires authorisation kicks them off?

Sounds reasonable.

> > Nope, not IE. Yes, that is non-standard.
>
> Are you sure? I'm pretty sure I remember the ZMI's "logout" link working
> in IE, and that relies on returning 401's...

Last time I checked it didn't work.

> > But they do that so that if
> > you click on something that you can NOT access, you can continue
> > surfing without having to log in again. Which actually is pretty
> > reasonable in a way.
>
> ...not if they don't also provide a method to consciously drop basic
> auth headers ;-)

Yet Another Crappy Standard.

> Well, I have to say I was really disappointed when I read the W3C specs
> for response codes. They freely interchange authentication and
> authorization, which are two totally different concepts :-(

Right.

--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

regebro at gmail

Apr 21, 2005, 5:23 AM

Post #16 of 20 (6819 views)

On 4/21/05, Chris Withers <chris@simplistix.co.uk> wrote:
> > If it's accessible by anonymous that is the same as not requiring
> > authorization.
>
> I don't think that's the case. I have a specific requirement on the
> project I'm currently working on to know who the current user is, even
> if the something is anonymously accessible.

So you *allow* authorization, and use it, but you don't *require* it.

> Perhaps userfolders should have the opportunity to do something as
> they're traversed through to authenticate, rather than waiting until
> something that requires authorisation kicks them off?

Sounds reasonable.

> > Nope, not IE. Yes, that is non-standard.
>
> Are you sure? I'm pretty sure I remember the ZMI's "logout" link working
> in IE, and that relies on returning 401's...

Last time I checked it didn't work.

> > But they do that so that if
> > you click on something that you can NOT access, you can continue
> > surfing without having to log in again. Which actually is pretty
> > reasonable in a way.
>
> ...not if they don't also provide a method to consciously drop basic
> auth headers ;-)

Yet Another Crappy Standard.

> Well, I have to say I was really disappointed when I read the W3C specs
> for response codes. They freely interchange authentication and
> authorization, which are two totally different concepts :-(

Right.

--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

sidnei at awkly

Apr 21, 2005, 7:39 AM

Post #17 of 20 (6791 views)

On Thu, Apr 21, 2005 at 01:11:57PM +0100, Chris Withers wrote:
| Indeed. So, this explains the reason why incorrect auth credentials
| result in an anoymous user rather than an auth failure. Read that way, I
| think it should stay that way, unless anyone can suggest anything better.
| However, it might help if whoever's "in" this code currently adds a big
| comment explaining the reasoning. Sidnei?

Well, my use-case is actually for WebDAV. So you won't just visit a
different part of the site at random. I'm currently trying to
understand if this would be a problem for WebDAV too.

--
Sidnei da Silva <sidnei@awkly.org>
http://awkly.org - dreamcatching :: making your dreams come true
http://www.enfoldsystems.com
http://plone.org/about/team#dreamcatcher

Passwords are implemented as a result of insecurity.
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

chris at simplistix

Apr 22, 2005, 1:10 AM

Post #18 of 20 (6788 views)

Lennart Regebro wrote:
>>I don't think that's the case. I have a specific requirement on the
>>project I'm currently working on to know who the current user is, even
>>if the something is anonymously accessible.
>
> So you *allow* authorization, and use it, but you don't *require* it.

No. I was to authenticate when credentials are present rather than
waiting until authorization is required before starting ot look for
authentication credentials...

>>Perhaps userfolders should have the opportunity to do something as
>>they're traversed through to authenticate, rather than waiting until
>>something that requires authorisation kicks them off?
>
> Sounds reasonable.

Any ideas where/how that should be implemented?

>>Well, I have to say I was really disappointed when I read the W3C specs
>>for response codes. They freely interchange authentication and
>>authorization, which are two totally different concepts :-(
>
> Right.

Well, I hope you use of "authorization" after "*allow*" was an accident
then ;-)

cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

chris at simplistix

Apr 22, 2005, 1:11 AM

Post #19 of 20 (6785 views)

Sidnei da Silva wrote:

> Well, my use-case is actually for WebDAV. So you won't just visit a
> different part of the site at random. I'm currently trying to
> understand if this would be a problem for WebDAV too.

Nevertheless, since you're in the code alrady, can you add the big
comment explaining why it is like it is?
(or tell me a file and line number so I can do it)

cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk

_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders

Re: Wrong username and password == Anonymous User? [ In reply to ]

sidnei at awkly

Apr 22, 2005, 6:22 AM

Post #20 of 20 (6814 views)

On Fri, Apr 22, 2005 at 09:11:28AM +0100, Chris Withers wrote:
| Sidnei da Silva wrote:
|
| >Well, my use-case is actually for WebDAV. So you won't just visit a
| >different part of the site at random. I'm currently trying to
| >understand if this would be a problem for WebDAV too.
|
| Nevertheless, since you're in the code alrady, can you add the big
| comment explaining why it is like it is?
| (or tell me a file and line number so I can do it)

There's a patch attached to the first message of the thread.

--
Sidnei da Silva <sidnei@awkly.org>
http://awkly.org - dreamcatching :: making your dreams come true
http://www.enfoldsystems.com
http://plone.org/about/team#dreamcatcher

<glyph> So...
<glyph> XML.
*** Quits: dash:#twisted [washort@d136.narrowgate.net] (Read error: 113 (No route to host))
<glyph> Wow... just _saying_ it makes him disappear
_______________________________________________
Zope-Coders mailing list
Zope-Coders@zope.org
http://mail.zope.org/mailman/listinfo/zope-coders