Plone falls back to zmi login on lack of permissions

Problem statement:
Plone site workflow is set to intranet. Users can log to plone, but when bad credentials are given (or user does not have permission) plone opens the zmi login (falls back to zmi login). We want to change this so the users that are not presented the zmi login or are redirected to another url.
We still want the management to be able to login with zmi. (This is important)

Any guidance is appreciated.

Which version of Plone?

I'm curious what the "zmi login" looks like... the BASIC auth form that you get when you go to /manage_main? It's certainly strange that a Plone site would be sending you to anything other than the /login_form

Plone 5. I have CAS enabled. So after CAS log in if the user does not have permissions it will fall back to zmi login. It could be the basic auth like you said. I know how to disable it, but if I disable it then the admins cannot get to ZMI. So is there another way for admins to get to zmi without this basic auth or is there a way to send people to a url rather than falling back on basic auth to zmi if users don't have permissions?

Falling back to "higher level" user folders is normal Zope behaviour. Likely, the easiest solution for your case would be that those "higher level" user folders can authenticate only your admin users. If necessary, use CAS for those user folders as well.

Interesting... "Likely, the easiest solution for your case would be that those "higher level" user folders can authenticate only your admin users."
How would I do this?

I do not know how you have set up those "higher level" user folders. In my installations, they know only the Zope "Manager"s and nothing else. As such, they cannot authenticate anyone else.

Sorry, I don't have experience with CAS setup. What did you use for that?

The problem is not CAS. It is zope related. Zope sends a 401 error when plone user is authenticated but not have enough permissions, hence the login dialog box. Apache doesn't see the 401 error, that's why I cannot change the headers in apache. Is there way to change the headers in Zope conf? (401 to 403?)

FIXED... for anyone that has the same problem here is the solution... sit down because this is complicated...

Go into apache config and add this:

Header unset WWW-Authenticate

You're welcome :slight_smile:

1 Like

Is that something you could add to the documentation for whatever CAS package you're using? Or perhaps someplace reasonable in