Added a variable called PUBLISHED to REQUEST and made standard user folders

use it instead of PARENTS.

doc/CHANGES.txt

@@ -39,6 +39,10 @@ Zope changes
 
         - Corrected local role computation (Hotfix 2000-12-15)
 
+        - Added a variable called PUBLISHED to REQUEST.  From now on,
+          this variable should be used instead of PARENTS for user
+          validation.
+
     Zope 2.3.0 alpha 1
     
       Features Added

lib/python/AccessControl/User.py

@@ -84,7 +84,7 @@
 ##############################################################################
 """Access control package"""
 
-__version__='$Revision: 1.120 $'[11:-2]
+__version__='$Revision: 1.121 $'[11:-2]
 
 import Globals, socket, ts_regex, SpecialUsers
 import os
@@ -449,10 +449,9 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
         if roles is _what_not_even_god_should_do:
             request.response.notFoundError()
         
-        parents=request.get('PARENTS', [])
-        if not parents:
-            parent=self.aq_parent
-        else: parent=parents[0]
+        published = request.get('PUBLISHED', None)
+        if published is None:
+            published = self
 
         # If no authorization, only a user with a domain spec and no
         # passwd or nobody can match. We cache reverse DNS before
@@ -478,11 +477,11 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
                 domains=ob.getDomains()
                 if domains:
                     if ob.authenticate('', request):
-                        if ob.allowed(parent, roles):
+                        if ob.allowed(published, roles):
                             ob=ob.__of__(self)
                             return ob
             nobody=self._nobody
-            if self._isTop() and nobody.allowed(parent, roles):
+            if self._isTop() and nobody.allowed(published, roles):
                 ob=nobody.__of__(self)
                 return ob
             return None
@@ -506,7 +505,7 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
             # If the user was not found and we are the top level user
             # database and the Anonymous user is allowed to access the
             # requested object, return the Anonymous user.
-            if self._isTop() and self._nobody.allowed(parent, roles):
+            if self._isTop() and self._nobody.allowed(published, roles):
                 user=self._nobody.__of__(self)
                 return user
 
@@ -521,7 +520,7 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
             # If no user was authenticated and we are the top level user
             # database and the Anonymous user is allowed to access the
             # requested object, return the Anonymous user.
-            if self._isTop() and self._nobody.allowed(parent, roles):
+            if self._isTop() and self._nobody.allowed(published, roles):
                 user=self._nobody.__of__(self)
                 return user
 
@@ -534,7 +533,7 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
         user=user.__of__(self)
 
         # Try to authorize user
-        if user.allowed(parent, roles):
+        if user.allowed(published, roles):
             return user
 
         return None
@@ -543,7 +542,7 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
     if _remote_user_mode:
         
         def validate(self,request,auth='',roles=None):
-            parent=request['PARENTS'][0]
+            published = request['PUBLISHED']
             e=request.environ
             if e.has_key('REMOTE_USER'):
                 name=e['REMOTE_USER']
@@ -552,11 +551,11 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
                     domains=ob.getDomains()
                     if domains:
                         if ob.authenticate('', request):
-                            if ob.allowed(parent, roles):
+                            if ob.allowed(published, roles):
                                 ob=ob.__of__(self)
                                 return ob
                 nobody=self._nobody
-                if self._isTop() and nobody.allowed(parent, roles):
+                if self._isTop() and nobody.allowed(published, roles):
                     ob=nobody.__of__(self)
                     return ob
                 return None
@@ -576,7 +575,7 @@ class BasicUserFolder(Implicit, Persistent, Navigation, Tabs, RoleManager,
             user=user.__of__(self)
 
             # Try to authorize user
-            if user.allowed(parent, roles):
+            if user.allowed(published, roles):
                 return user
             return None
 

lib/python/ZPublisher/BaseRequest.py

@@ -82,7 +82,7 @@
 # attributions are listed in the accompanying credits file.
 # 
 ##############################################################################
-__version__='$Revision: 1.32 $'[11:-2]
+__version__='$Revision: 1.33 $'[11:-2]
 
 from string import join, split, find, rfind, lower, upper
 from urllib import quote
@@ -392,80 +392,70 @@ class BaseRequest:
         finally:
             parents.reverse()
 
-        popped_last = 0
-#        parents.pop(0) # Get rid of final method object
+        request['PUBLISHED'] = parents[0]
+        parents.pop(0) # Get rid of final method object
 
         # Do authorization checks
         user=groups=None
         i=0
-        try:
-            if roles is not None:
-
-                last_parent_index=len(parents)
-                if hasattr(object, '__allow_groups__'):
-                    groups=object.__allow_groups__
-                    inext=0
-                else:
-                    inext=None
-                    for i in range(last_parent_index):
-                        if hasattr(parents[i],'__allow_groups__'):
-                            groups=parents[i].__allow_groups__
-                            inext=i+1
-                            break
 
-                if inext is not None:
-                    i=inext
-
-                    if hasattr(groups, 'validate'): v=groups.validate
+        if roles is not None:
+
+            last_parent_index=len(parents)
+            if hasattr(object, '__allow_groups__'):
+                groups=object.__allow_groups__
+                inext=0
+            else:
+                inext=None
+                for i in range(last_parent_index):
+                    if hasattr(parents[i],'__allow_groups__'):
+                        groups=parents[i].__allow_groups__
+                        inext=i+1
+                        break
+
+            if inext is not None:
+                i=inext
+
+                if hasattr(groups, 'validate'): v=groups.validate
+                else: v=old_validation
+
+                auth=request._auth
+
+                if v is old_validation and roles is UNSPECIFIED_ROLES:
+                    # No roles, so if we have a named group, get roles from
+                    # group keys
+                    if hasattr(groups,'keys'): roles=groups.keys()
+                    else:
+                        try: groups=groups()
+                        except: pass
+                        try: roles=groups.keys()
+                        except: pass
+
+                    if groups is None:
+                        # Public group, hack structures to get it to validate
+                        roles=None
+                        auth=''
+
+                if v is old_validation:
+                    user=old_validation(groups, request, auth, roles)
+                elif roles is UNSPECIFIED_ROLES: user=v(request, auth)
+                else: user=v(request, auth, roles)
+
+                while user is None and i < last_parent_index:
+                    parent=parents[i]
+                    i=i+1
+                    if hasattr(parent, '__allow_groups__'): 
+                        groups=parent.__allow_groups__
+                    else: continue
+                    if hasattr(groups,'validate'): v=groups.validate
                     else: v=old_validation
-
-                    auth=request._auth
-
-                    if v is old_validation and roles is UNSPECIFIED_ROLES:
-                        # No roles, so if we have a named group, get roles from
-                        # group keys
-                        if hasattr(groups,'keys'): roles=groups.keys()
-                        else:
-                            try: groups=groups()
-                            except: pass
-                            try: roles=groups.keys()
-                            except: pass
-
-                        if groups is None:
-                            # Public group, hack structures to get it to validate
-                            roles=None
-                            auth=''
-
                     if v is old_validation:
                         user=old_validation(groups, request, auth, roles)
                     elif roles is UNSPECIFIED_ROLES: user=v(request, auth)
                     else: user=v(request, auth, roles)
 
-                    while user is None and i < last_parent_index:
-                        parent=parents[i]
-                        i=i+1
-                        if hasattr(parent, '__allow_groups__'): 
-                            groups=parent.__allow_groups__
-                        else: continue
-                        if hasattr(groups,'validate'): v=groups.validate
-                        else: v=old_validation
-                        if v is old_validation:
-                            user=old_validation(groups, request, auth, roles)
-                        elif roles is UNSPECIFIED_ROLES: user=v(request, auth)
-                        else: user=v(request, auth, roles)
-
-                if not popped_last:
-                    # Get rid of final method object
-                    parents.pop(0)
-                    popped_last=1
-
-                if user is None and roles != UNSPECIFIED_ROLES:
-                    response.unauthorized()
-
-        finally:
-            # Get rid of final method object
-            if not popped_last:
-                parents.pop(0)
+            if user is None and roles != UNSPECIFIED_ROLES:
+                response.unauthorized()
 
         if user is not None:
             if validated_hook is not None: validated_hook(self, user)