Index: lib/python/ZPublisher/BaseRequest.py =================================================================== --- lib/python/ZPublisher/BaseRequest.py (revision 1204) +++ lib/python/ZPublisher/BaseRequest.py (working copy) @@ -539,6 +539,38 @@ if 1: # Always perform authentication. + user, self.roles = self._authenticate(object, parents, self.roles) + + if user is None and self.roles != UNSPECIFIED_ROLES: + response.unauthorized() + + if user is not None: + if validated_hook is not None: validated_hook(self, user) + request['AUTHENTICATED_USER']=user + request['AUTHENTICATION_PATH']='/'.join(steps[:-i]) + + # Remove http request method from the URL. + request['URL']=URL + + # Run post traversal hooks + if post_traverse: + result = exec_callables(post_traverse) + if result is not None: + object = result + + return object + + def _authenticate(self, object, parents, roles): + '''perform authentication. + + Returns the user and potentially modified roles. + ''' + request = self # alias + + user=groups=None + i=0 + + if 1: # to maintain indentation last_parent_index=len(parents) if hasattr(object, '__allow_groups__'): groups=object.__allow_groups__ @@ -559,25 +591,25 @@ auth=request._auth - if v is old_validation and self.roles is UNSPECIFIED_ROLES: + if v is old_validation and roles is UNSPECIFIED_ROLES: # No roles, so if we have a named group, get roles from # group keys - if hasattr(groups,'keys'): self.roles=groups.keys() + if hasattr(groups,'keys'): roles=groups.keys() else: try: groups=groups() except: pass - try: self.roles=groups.keys() + try: roles=groups.keys() except: pass if groups is None: # Public group, hack structures to get it to validate - self.roles=None + roles=None auth='' if v is old_validation: - user=old_validation(groups, request, auth, self.roles) - elif self.roles is UNSPECIFIED_ROLES: user=v(request, auth) - else: user=v(request, auth, self.roles) + user=old_validation(groups, request, auth, roles) + elif roles is UNSPECIFIED_ROLES: user=v(request, auth) + else: user=v(request, auth, roles) while user is None and i < last_parent_index: parent=parents[i] @@ -588,29 +620,12 @@ if hasattr(groups,'validate'): v=groups.validate else: v=old_validation if v is old_validation: - user=old_validation(groups, request, auth, self.roles) - elif self.roles is UNSPECIFIED_ROLES: user=v(request, auth) - else: user=v(request, auth, self.roles) + user=old_validation(groups, request, auth, roles) + elif roles is UNSPECIFIED_ROLES: user=v(request, auth) + else: user=v(request, auth, roles) - if user is None and self.roles != UNSPECIFIED_ROLES: - response.unauthorized() + return user, roles - if user is not None: - if validated_hook is not None: validated_hook(self, user) - request['AUTHENTICATED_USER']=user - request['AUTHENTICATION_PATH']='/'.join(steps[:-i]) - - # Remove http request method from the URL. - request['URL']=URL - - # Run post traversal hooks - if post_traverse: - result = exec_callables(post_traverse) - if result is not None: - object = result - - return object - def post_traverse(self, f, args=()): """Add a callable object and argument tuple to be post-traversed.