ERP5Type.patches.CookieCrumbler: Unconditionally cleanup request.

Receiving name & password parameters does not prevent us from also
receiving the authentication cookie. It must not be kept in the request.
And likewise for requests also containing an HTTP authentication header.
And likewise for requests for which CookieCrumbler disables itself on.

product/ERP5Type/patches/CookieCrumbler.py

@@ -110,66 +110,66 @@ def modifyRequest(self, req, resp):
   cookie login is disabled for this request, raises
   CookieCrumblerDisabled.
   """
-  if (req.__class__ is not HTTPRequest
-      or not req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST')
-      or req.environ.has_key('WEBDAV_SOURCE_PORT')):
-      raise CookieCrumblerDisabled
-
-  req.post_traverse(balancer_cookie_hook, (self, req, resp))
-
-  # attempt may contain information about an earlier attempt to
-  # authenticate using a higher-up cookie crumbler within the
-  # same request.
-  attempt = getattr(req, '_cookie_auth', ATTEMPT_NONE)
-
-  if attempt == ATTEMPT_NONE:
-    if req._auth:
-      # An auth header was provided and no cookie crumbler
-      # created it.  The user must be using basic auth.
-      raise CookieCrumblerDisabled
-
-    if req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
-      # Attempt to log in and set cookies.
-      attempt = ATTEMPT_LOGIN
-      name = req[self.name_cookie]
-      pw = req[self.pw_cookie]
-      ac = standard_b64encode('%s:%s' % (name, pw))
-      self._setAuthHeader(ac, req, resp)
-      if req.get(self.persist_cookie, 0):
-        # Persist the user name (but not the pw or session)
-        expires = (DateTime() + 365).toZone('GMT').rfc822()
-        resp.setCookie(self.name_cookie, name,
-                       path=self.getCookiePath(),
-                       expires=expires)
-      else:
-        # Expire the user name
-        resp.expireCookie(self.name_cookie,
-                          path=self.getCookiePath())
-      method = self.getCookieMethod( 'setAuthCookie'
-                                     , self.defaultSetAuthCookie )
-      method( resp, self.auth_cookie, quote( ac ) )
-      self.delRequestVar(req, self.name_cookie)
-      self.delRequestVar(req, self.pw_cookie)
-
-    elif req.has_key(self.auth_cookie):
-      # Attempt to resume a session if the cookie is valid.
-      # Copy __ac to the auth header.
-      ac = unquote(req[self.auth_cookie])
-      if ac and ac != 'deleted':
-        try:
-          standard_b64decode(ac)
-        except:
-          # Not a valid auth header.
-          pass
+  enabled = (req.__class__ is HTTPRequest
+      and req['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST')
+      and 'WEBDAV_SOURCE_PORT' not in req.environ)
+  if enabled:
+    req.post_traverse(balancer_cookie_hook, (self, req, resp))
+
+    # attempt may contain information about an earlier attempt to
+    # authenticate using a higher-up cookie crumbler within the
+    # same request.
+    attempt = getattr(req, '_cookie_auth', ATTEMPT_NONE)
+
+    if attempt == ATTEMPT_NONE:
+      if req._auth:
+        # An auth header was provided and no cookie crumbler
+        # created it.  The user must be using basic auth.
+        enabled = False
+      elif req.has_key(self.pw_cookie) and req.has_key(self.name_cookie):
+        # Attempt to log in and set cookies.
+        attempt = ATTEMPT_LOGIN
+        name = req[self.name_cookie]
+        pw = req[self.pw_cookie]
+        ac = standard_b64encode('%s:%s' % (name, pw))
+        self._setAuthHeader(ac, req, resp)
+        if req.get(self.persist_cookie, 0):
+          # Persist the user name (but not the pw or session)
+          expires = (DateTime() + 365).toZone('GMT').rfc822()
+          resp.setCookie(self.name_cookie, name,
+                         path=self.getCookiePath(),
+                         expires=expires)
         else:
-          attempt = ATTEMPT_RESUME
-          self._setAuthHeader(ac, req, resp)
-          self.delRequestVar(req, self.auth_cookie)
-          method = self.getCookieMethod(
-            'twiddleAuthCookie', None)
-          if method is not None:
-            method(resp, self.auth_cookie, quote(ac))
-
+          # Expire the user name
+          resp.expireCookie(self.name_cookie,
+                            path=self.getCookiePath())
+        method = self.getCookieMethod( 'setAuthCookie'
+                                       , self.defaultSetAuthCookie )
+        method( resp, self.auth_cookie, quote( ac ) )
+      elif req.has_key(self.auth_cookie):
+        # Attempt to resume a session if the cookie is valid.
+        # Copy __ac to the auth header.
+        ac = unquote(req[self.auth_cookie])
+        if ac and ac != 'deleted':
+          try:
+            standard_b64decode(ac)
+          except:
+            # Not a valid auth header.
+            pass
+          else:
+            attempt = ATTEMPT_RESUME
+            self._setAuthHeader(ac, req, resp)
+            self.delRequestVar(req, self.auth_cookie)
+            method = self.getCookieMethod(
+              'twiddleAuthCookie', None)
+            if method is not None:
+              method(resp, self.auth_cookie, quote(ac))
+
+  self.delRequestVar(req, self.auth_cookie)
+  self.delRequestVar(req, self.name_cookie)
+  self.delRequestVar(req, self.pw_cookie)
+  if not enabled:
+    raise CookieCrumblerDisabled
   req._cookie_auth = attempt
   return attempt