You are not logged in Log in Join
You are here: Home » Members » jim » ZopeSecurity » ProposalToAuthenticateDuringURLTraversal
Log in
Name

Password

 
Link icon Forgot your password?
 
Print

History for ProposalToAuthenticateDuringURLTraversal

??changed:
-
Currently, authentication is performed after URL traversal has been completed. 

The reason for this is to allow the rather unusual use case of forcing people to authenticate in the most specific user database.  Someone could be defined and successfully authenticated in more than one database along URL paths and the most specific database would be used.  The utility of this is questionable to say the least.  

Delaying a authentication until URL traversal is finished prevents the use of protected resources during traversal.  As applications become more sophisticated, complex computations may be performed to affect traversal.  Sometimes, this computation requires access to protected resources.  

Another problem with the current scheme is that objects are traversed which would not be accessible after a authentication is done.  For example traversal that is disallowed in DTML would be allowed during current URL traversal.  

It is proposed that authorization checks be performed during traversal and that if a user database is encountering traversal, an attempt will be made to authenticate to the user.  The authentication will be performed prior to traversal.  The latter is required to allow a protected folder to contain the user database that defines its users.  Until a user has been authenticated only resources accessible to anonymous can be accessed.  

It is theoretically possible that this change could break existing applications.  This appears to be extremely unlikely however.
Copyright (c) 2011 Zope Foundation. All rights reserved. Legal | Contact
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)