As already documented in this code, unrestrictedTraverse provides a flat dict
as "request" argument. PAS plugins cannot work with such fake request, so
such _extractUserIds call will not succeed in authenticating the user, and instead
produces (suppressed) exceptions within PAS.
As a result, neither codepaths can be followed:
- PAS cannot find any user, hence "if len(user_list) > 0:" is false
- the "else" codepath starts with "request._auth", which obviously raises when
  request is a dict
So, reorder the code so that the nature of the request is checked before
either codepath is entered, skipping the bulk of this code and avoiding calling
into PAS.