def specialGroups(event):
    """Set groups for IGroupAwarePrincipal."""

    principal = event.principal
    # only apply to non groups because it will end in cycle dependencies
    # since the principal will have tis role anyway
    if (IGroup.providedBy(principal) or
        not (IGroupAwarePrincipal.providedBy(principal) or
             IUnauthenticatedPrincipal.providedBy(principal))):
        return

    # global utility registered by everybodyGroup directive
    everyone = zope.component.queryUtility(IEveryoneGroup)
    if everyone is not None and everyone.id != principal.id and \
        everyone.id not in principal.groups:
        principal.groups.append(everyone.id)

    if IUnauthenticatedPrincipal.providedBy(principal):
        # global utility registered by unauthenticatedGroup directive
        unAuthGroup = zope.component.queryUtility(IUnauthenticatedGroup)
        if unAuthGroup is not None and unAuthGroup.id != principal.id and \
            unAuthGroup.id not in principal.groups:
            principal.groups.append(unAuthGroup.id)
    else:
        # global utility registered by authenticatedGroup directive
        authGroup = zope.component.queryUtility(IAuthenticatedGroup)
        if authGroup is not None and authGroup.id != principal.id and \
            authGroup.id not in principal.groups:
            principal.groups.append(authGroup.id)

    def render(self):
        if not IUnauthenticatedPrincipal.providedBy(self.request.principal):
            auth = component.getUtility(IAuthentication)
            ILogout(auth).logout(self.request)

        self.flash(_(u'Usted ha deslogueado'), type=u'message')
        return self.redirect(self.application_url())

 def __call__(self):
     if IUnauthenticatedPrincipal.providedBy(self.request.principal):
         self.http_status_code = 401
         self.additional_headers.update(
             [("WWW-Authenticate", "Basic realm=Bungeni")]
         )
     return super(Unauthorized, self).__call__()

def setGroupsForPrincipal(event):
    """Set local group information when a principal is created.

    Note: IUnauthenticatedPrincipal does not provide IGroupAwarePrincipal which
    is just wrong and makes the conditions a little bit complicated.
    """

    principal = event.principal
    # set only groups for group aware principals or unauthenticated which are
    # group aware too. This allows us to apply local roles to unautenticated
    # principals which allows to apply permissions/roles via local groups which
    # the application does not provide at global level.
    if not (IGroupAwarePrincipal.providedBy(principal) or
            IUnauthenticatedPrincipal.providedBy(principal)):
        return

    authentication = event.authentication
    for name, plugin in authentication.getAuthenticatorPlugins():
        if not interfaces.IGroupContainer.providedBy(plugin):
            continue
        # set groups for principals but not a group to itself. This could happen
        # for global defined groups
        principal.groups.extend(
            [id for id in plugin.getGroupsForPrincipal(principal.id)
             if id != principal.id])

    def getLoggedInPerson(self):
        """Return the currently logged-in person.

        If no one is logged in, return None. If there is an anonymous user
        logged in, then return ANONYMOUS. Otherwise, return the logged-in
        `IPerson`.
        """
        # I don't really know the canonical way of asking for "the logged-in
        # person", so instead I'm using all the ways I can find and making
        # sure they match each other. -- jml
        by_launchbag = getUtility(IOpenLaunchBag).user
        principal = get_current_principal()
        if principal is None:
            return None
        elif IUnauthenticatedPrincipal.providedBy(principal):
            if by_launchbag is None:
                return ANONYMOUS
            else:
                raise ValueError(
                    "Unauthenticated principal, but launchbag thinks "
                    "%r is logged in." % (by_launchbag,))
        else:
            by_principal = principal.person
            self.assertEqual(by_launchbag, by_principal)
            return by_principal

 def update(self):
     if not IUnauthenticatedPrincipal.providedBy(self.request.principal):
         for key in self.KEYS:
             self.request.response.expireCookie(key, path='/', domain="bgetem.de")
             self.request.response.expireCookie(key, path='/')
         self.request.response.expireCookie('beaker.session.id', path='/')
         self.request['beaker.session'].delete()

    def uninstall(self):
        """See `IDatabasePolicy`.

        If the request just handled was not read_only, we need to store
        this fact and the timestamp in the session. Subsequent requests
        can then keep using the master until they are sure any changes
        made have been propagated.
        """
        if not self.read_only:
            # We need to further distinguish whether it's safe to write
            # to the session. This will be true if the principal is
            # authenticated or if there is already a session cookie
            # hanging around.
            if not IUnauthenticatedPrincipal.providedBy(
                self.request.principal) or self._hasSession():
                # A non-readonly request has been made. Store this fact
                # in the session. Precision is hard coded at 1 minute
                # (so we don't update the timestamp if it is no more
                # than 1 minute out of date to avoid unnecessary and
                # expensive write operations). Feeds are always read
                # only, and since they run over http, browsers won't
                # send their session key that was set over https, so we
                # don't want to access the session which will overwrite
                # the cookie and log the user out.
                session_data = ISession(self.request)['lp.dbpolicy']
                last_write = session_data.get('last_write', None)
                now = _now()
                if (last_write is None or
                    last_write < now - timedelta(minutes=1)):
                    # set value
                    session_data['last_write'] = now

    def _maybePlacefullyAuthenticate(self, request, ob):
        if not IUnauthenticatedPrincipal.providedBy(request.principal):
            # We've already got an authenticated user. There's nothing to do.
            # Note that beforeTraversal guarentees that user is not None.
            return

        if not zope.component.interfaces.ISite.providedBy(ob):
            # We won't find an authentication utility here, so give up.
            return

        sm = removeSecurityProxy(ob).getSiteManager()

        auth = sm.queryUtility(IAuthentication)
        if auth is None:
            # No auth utility here
            return

        # Try to authenticate against the auth utility
        principal = auth.authenticate(request)
        if principal is None:
            principal = auth.unauthenticatedPrincipal()
            if principal is None:
                # nothing to do here
                return

        request.setPrincipal(principal)

 def __call__(self):
     request = self.request
     if (not IUnauthenticatedPrincipal.providedBy(request.principal)
         and 'gum.Login' in request):
         request.response.redirect( self.url(grok.getApplication()) )
     else:
         return self.template.render(self)

def homefolder_url(request):
    principal = request.principal
    if IUnauthenticatedPrincipal.providedBy(principal):
        return
    homefolders = getUtility(IHomefolders)
    homefolder = homefolders.get(principal.id)
    return homefolder and IAbsoluteURL(homefolder, request) or None

 def handleLogin(self, action):
     """Handle the subscribe action will register and login a user."""
     if not IUnauthenticatedPrincipal.providedBy(self.request.principal):
         session = ISession(self.request, None)
         sessionData = session.get('z3c.authenticator.credential.session')
         if sessionData is not None and sessionData.get('camefrom'):
             self.nextURL = sessionData['camefrom']
             sessionData['camefrom'] = None

 def update(self):
     if not IUnauthenticatedPrincipal.providedBy(self.request.principal):
         for key in self.KEYS:
             self.request.response.expireCookie(key,
             path='/', domain="bg-kooperation.de")
     else:
         self.request.response.expireCookie("auth_pubtkt",
             path='/', domain="bg-kooperation.de")

 def login(self, nextURL=None):
     # we don't want to keep challenging if we're authenticated
     if IUnauthenticatedPrincipal.providedBy(self.request.principal):
         component.getUtility(IAuthentication).unauthorized(
             self.request.principal.id, self.request)
         return self.failed()
     else:
         return self._confirm(nextURL)

def test_traverse(url):
    """Traverse the url in the same way normal publishing occurs.

    Returns a tuple of (object, view, request) where:
      object is the last model object in the traversal chain
      view is the defined view for the object at the specified url (if
        the url didn't directly specify a view, then the view is the
        default view for the object.
      request is the request object resulting from the traversal.  This
        contains a populated traversed_objects list just as a browser
        request would from a normal call into the app servers.

    This call uses the currently logged in user, and does not start a new
    transaction.
    """
    url_parts = urlsplit(url)
    server_url = '://'.join(url_parts[0:2])
    path_info = url_parts[2]
    request, publication = get_request_and_publication(
        host=url_parts[1], extra_environment={
            'SERVER_URL': server_url,
            'PATH_INFO': path_info})

    request.setPublication(publication)
    # We avoid calling publication.beforePublication because this starts a new
    # transaction, which causes an abort of the existing transaction, and the
    # removal of any created and uncommitted objects.

    # Set the default layer.
    adapters = getGlobalSiteManager().adapters
    layer = adapters.lookup((providedBy(request),), IDefaultSkin, '')
    if layer is not None:
        layers.setAdditionalLayer(request, layer)

    principal = get_current_principal()

    if IUnauthenticatedPrincipal.providedBy(principal):
        login = None
    else:
        login = principal.person
    setupInteraction(principal, login, request)

    getUtility(IOpenLaunchBag).clear()
    app = publication.getApplication(request)
    view = request.traverse(app)
    # Find the object from the view instead on relying that it stays
    # in the traversed_objects stack. That doesn't apply to the web
    # service for example.
    try:
        obj = removeSecurityProxy(view).context
    except AttributeError:
        # But sometime the view didn't store the context...
        # Use the last traversed object in these cases.
        obj = request.traversed_objects[-2]

    restoreInteraction()

    return obj, view, request

 def getSession(self):
     """Get the session data container that stores the OpenID request."""
     if IUnauthenticatedPrincipal.providedBy(self.request.principal):
         # A dance to assert that we want to break the rules about no
         # unauthenticated sessions. Only after this next line is it
         # safe to set session values.
         allowUnauthenticatedSession(
             self.request, duration=timedelta(minutes=60))
     return ISession(self.request)[SESSION_PKG_KEY]

 def logout(self, nextURL=None):
     if not IUnauthenticatedPrincipal.providedBy(self.request.principal):
         auth = component.getUtility(IAuthentication)
         ILogout(auth).logout(self.request)
         if nextURL:
             return self.redirect()
     if nextURL is None:
         return self.confirmation()
     else:
         return self.request.response.redirect(nextURL)

 def __call__(self):
     if IUnauthenticatedPrincipal.providedBy(self.request.principal):
         self.request.principal.__parent__.unauthorized(
             self.request.principal.id, self.request)
         return 'Launchpad basic auth login page'
     referer = self.request.getHeader('referer')  # Traditional w3c speling
     if referer and self.isSameHost(referer):
         self.request.response.redirect(referer)
     else:
         self.request.response.redirect(self.request.getURL(1))
     return ''

    def _maybePlacefullyAuthenticate(self, request, ob):
        if not IUnauthenticatedPrincipal.providedBy(request.principal):
            # We've already got an authenticated user. There's nothing to do.
            # Note that beforeTraversal guarentees that user is not None.
            return

        if not ISite.providedBy(ob):
            # We won't find an authentication utility here, so give up.
            return

        sm = removeSecurityProxy(ob).getSiteManager()
        self.authenticate(request, sm)

 def __call__(self):
     if IUnauthenticatedPrincipal.providedBy(self.request.principal):
         return u'<a href="@@login.html?nextURL=%s">%s</a>' % (
             urllib.quote(self.request.getURL()),
             translate(_('[Login]'), context=self.request,
                       default='[Login]'))
     elif ILogoutSupported(self.request, None) is not None:
         return u'<a href="@@logout.html?nextURL=%s">%s</a>' % (
             urllib.quote(self.request.getURL()),
             translate(_('[Logout]'), context=self.request,
                       default='[Logout]'))
     else:
         return None

 def handle_login(self, **data):
     authenticated = not IUnauthenticatedPrincipal.providedBy(
         self.request.principal,
     )
     if authenticated:
         camefrom = self.request.form.get('camefrom')
         if camefrom:
             self.redirect(camefrom, self.url(grok.getSite()))
         else:
             self.redirect(self.url(grok.getSite()))
         self.flash(u'Logueado!', type=u'message')
     else:
         self.status = u'Autenticación fallida'
         self.errors += (Invalid(u'Usuario y/o contraseña invalidos'),)
         self.form_reset = False