HTTPAuthResource doesn't provide any way to support anonymous access.
|Reported by:||dreid||Owned by:|
I think in the absence of an Authorization header portal.login should be called with twisted.cred.credentials.Anonymous, in the case where anonymous access is not allowed (i.e. no checker registered for the IAnonymous credentials interface) portal.login will errback and an unauthorized response will be sent. Otherwise requestAvatar on the realm will be called normally.
This will also require a mechanism for resources below the HTTPAuthResource to trigger authentication at anypoint when the Anonymous credentials prove insufficient. This could be a method on the IAuthenticatedRequest, perhaps IAuthenticatedRequest.reauthenticate()
Change History (9)
comment:1 Changed 8 years ago by dreid
- Priority changed from normal to highest
- Status changed from new to assigned
comment:2 Changed 8 years ago by dreid
- Keywords review added
- Owner dreid deleted
- Priority changed from highest to high
- Status changed from assigned to new