Plone falls back to zmi login on lack of permissions

pe82 · June 12, 2017, 6:22pm

Problem statement:
Plone site workflow is set to intranet. Users can log to plone, but when bad credentials are given (or user does not have permission) plone opens the zmi login (falls back to zmi login). We want to change this so the users that are not presented the zmi login or are redirected to another url.
We still want the management to be able to login with zmi. (This is important)

Any guidance is appreciated.

tkimnguyen · June 13, 2017, 1:00am

Which version of Plone?

I'm curious what the "zmi login" looks like... the BASIC auth form that you get when you go to /manage_main? It's certainly strange that a Plone site would be sending you to anything other than the /login_form

pe82 · June 13, 2017, 1:18am

Plone 5. I have CAS enabled. So after CAS log in if the user does not have permissions it will fall back to zmi login. It could be the basic auth like you said. I know how to disable it, but if I disable it then the admins cannot get to ZMI. So is there another way for admins to get to zmi without this basic auth or is there a way to send people to a url rather than falling back on basic auth to zmi if users don't have permissions?

dieter · June 13, 2017, 6:38am

Falling back to "higher level" user folders is normal Zope behaviour. Likely, the easiest solution for your case would be that those "higher level" user folders can authenticate only your admin users. If necessary, use CAS for those user folders as well.

pe82 · June 13, 2017, 12:20pm

Interesting... "Likely, the easiest solution for your case would be that those "higher level" user folders can authenticate only your admin users."
How would I do this?

dieter · June 13, 2017, 2:05pm

I do not know how you have set up those "higher level" user folders. In my installations, they know only the Zope "Manager"s and nothing else. As such, they cannot authenticate anyone else.

tkimnguyen · June 14, 2017, 1:26pm

Sorry, I don't have experience with CAS setup. What did you use for that?

pe82 · June 14, 2017, 1:44pm

The problem is not CAS. It is zope related. Zope sends a 401 error when plone user is authenticated but not have enough permissions, hence the login dialog box. Apache doesn't see the 401 error, that's why I cannot change the headers in apache. Is there way to change the headers in Zope conf? (401 to 403?)

pe82 · June 14, 2017, 9:42pm

FIXED... for anyone that has the same problem here is the solution... sit down because this is complicated...

Go into apache config and add this:

Header unset WWW-Authenticate

You're welcome

tkimnguyen · June 15, 2017, 12:31am

Is that something you could add to the documentation for whatever CAS package you're using? Or perhaps someplace reasonable in docs.plone.org?