[Zope-dev] Authentication Patch

[Evan Simpson]

I got tired of dealing with the weird mechanics cookie-based logins have
to deal with, where standard_html_error and tracebacks intrude on login
intercepts.  I came up with the following minor change, which works
great for me, and might make GenericUserFolder's job easier, too.

In ZPublisher/HTTPRequest.py (or SiteAccess/ChangeBehaviors.py, if you
use SiteAccess), change the lines:

            if user is None and roles != UNSPECIFIED_ROLES:
                response.unauthorized()
to:
            if user is None and roles != UNSPECIFIED_ROLES:
                object = response.unauthorized

Under normal circumstances, this has no effect, since
'response.unauthorized' will be called as soon as it is returned and
will raise its exception as usual.  Now however, we add a twist; When
the cookie-based authenticator fails, it replaces
'response.unauthorized' with its 'login' document.  If no higher-level
authentication succeeds, the 'login' document is rendered normally.
Since 'response' is re-created with each request, this modification has
no effect beyond the current request.

What do you folks think?

Cheers,

Evan @ 4-am