Fixes #107 -- more precisely, tries to improve the behavior of the PAS override of Zope's manage_zmi_logout. But it is not complete and may even work worse then previously.
Previously, the PAS override of manage_zmi_logout made the (implicit) assumption that the top level user folder uses HTTP authentication. #107 demonstrates that it fails miserably when this assumption is not met.
This PR drops the assumption but it can not guarantee full logout. The problem arises when the current request contains credentials for different user folders (e.g. manager credentials for the top level user folder and credentials for a portal's user folder). The manage_zmi_logout will reset the credentials for the lowest user folder in the current context (the one that authenticated the current user) provided that this user folder implements IPluggableAuthService (otherwise, Zope's manage_zmi_logout will be called which assumes HTTP authentication). If the request still contains credentials for further up user folders, then the logout will not be complete and the user must again call for a logout.
The support for HTTP authentication prevents us from performing an automated logout from all user folders in the current context because the HTTP logout requires the browser to show its login dialog and with this dialog the server loses control. We could do better in the absence of HTTP authentication (at least at the local level) but the PAS flexibility makes it hard to detect HTTP authentication reliably.
Fixes #107 -- more precisely, tries to improve the behavior of the PAS override of Zope's
manage_zmi_logout. But it is not complete and may even work worse then previously.Previously, the PAS override of
manage_zmi_logoutmade the (implicit) assumption that the top level user folder uses HTTP authentication. #107 demonstrates that it fails miserably when this assumption is not met.This PR drops the assumption but it can not guarantee full logout. The problem arises when the current request contains credentials for different user folders (e.g. manager credentials for the top level user folder and credentials for a portal's user folder). The
manage_zmi_logoutwill reset the credentials for the lowest user folder in the current context (the one that authenticated the current user) provided that this user folder implementsIPluggableAuthService(otherwise, Zope'smanage_zmi_logoutwill be called which assumes HTTP authentication). If the request still contains credentials for further up user folders, then the logout will not be complete and the user must again call for a logout.The support for HTTP authentication prevents us from performing an automated logout from all user folders in the current context because the HTTP logout requires the browser to show its login dialog and with this dialog the server loses control. We could do better in the absence of HTTP authentication (at least at the local level) but the PAS flexibility makes it hard to detect HTTP authentication reliably.