ERP5Site: stop displaying Basic auth popup in the browser

When a user is already authenticated (by any method) and an Unauthorized error occurs, ZPublisher returns the WWW-Authenticate HTTP header which leads to a blocking popup authentication window in user browser. This patch just desactivate the HTTP header. Except this, error is handled as previously.

ERP5Site: stop displaying Basic auth popup in the browser
When a user is already authenticated (by any method) and an Unauthorized error occurs, ZPublisher returns the WWW-Authenticate HTTP header which leads to a blocking popup authentication window in user browser. This patch just desactivate the HTTP header. Except this, error is handled as previously.
419abc03 · Romain Courteaud · c064d05e · 419abc03 · 419abc03
Commit 419abc03 authored Jan 13, 2016 by Romain Courteaud
Show whitespace changes
Inline Side-by-side

Showing with 39 additions and 0 deletions

product/ERP5/ERP5Site.py product/ERP5/ERP5Site.py +4 -0

product/ERP5/tests/testERP5Core.py product/ERP5/tests/testERP5Core.py +35 -0

No files found.
--- a/product/ERP5/ERP5Site.py
+++ b/product/ERP5/ERP5Site.py
@@ -260,6 +260,10 @@ class ERP5Site(FolderMixIn, CMFSite, CacheCookieMixin):
  security = ClassSecurityInfo()
  security.declareObjectProtected(Permissions.AccessContentsInformation)
+  def __before_publishing_traverse__(self, self2, request):
+    request.RESPONSE.realm = None
+    return super(ERP5Site, self).__before_publishing_traverse__(self2, request)
  def _createInitialSiteManager(self):
    # This section of code is inspired by
    # Products.CMFDefault.upgrade.to21.upgrade_root_site_manager(),

--- a/product/ERP5/tests/testERP5Core.py
+++ b/product/ERP5/tests/testERP5Core.py
@@ -29,6 +29,9 @@
 import unittest
 import pprint
+import httplib
+import urlparse
+import base64
 from AccessControl.SecurityManagement import newSecurityManager
 from Testing import ZopeTestCase
@@ -583,6 +586,38 @@ class TestERP5Core(ERP5TypeTestCase, ZopeTestCase.Functional):
      self.abort()
      setSite(old_site)
+  def test_BasicAuthenticateDesactivated(self):
+    """Make sure Unauthorized error does not lead to Basic auth popup in browser"""
+    portal = self.getPortal()
+    # Create user account with very long login name
+    login_name = 'foo_login_name'
+    password = 'bar_password'
+    acl_users = portal.acl_users
+    acl_users._doAddUser(login_name, password, ['Member'], [])
+    user = acl_users.getUserById(login_name).__of__(acl_users)
+    # Login as the above user
+    newSecurityManager(None, user)
+    self.auth = '%s:%s' % (login_name, password)
+    self.commit()
+    self.tic()
+    api_scheme, api_netloc, api_path, api_query, \
+      api_fragment = urlparse.urlsplit(self.portal.absolute_url())
+    connection = httplib.HTTPConnection(api_netloc)
+    connection.request(
+      method='GET',
+      url='%s/Person_getPrimaryGroup' % \
+          self.portal.absolute_url(),
+      headers={
+       'Authorization': 'Basic %s' % \
+         base64.b64encode(self.auth)
+      }
+    )
+    response = connection.getresponse()
+    self.assertEqual(response.status, 401)
+    self.assertEqual(response.getheader('WWW-Authenticate'), None)
 def test_suite():
  suite = unittest.TestSuite()
  suite.addTest(unittest.makeSuite(TestERP5Core))