Re: [Zope-dev] Membership and Local Roles
Michael Bernstein wrote: > > Michael Bernstein wrote: > > > > I figured out how to get this to work (finally). > > > > In the acl_users LM, add the following two Python methods: > > Well, I discovered another problem: > > For some reason, when I create a PortalMembership member, add the two > Python methods as I described earlier, and use the local roles screen to > give them a role, they are subsequently authenticated regardless of > whether their password is correct. > > Here's an example illustrating the bug: > > [snip example] This password problem is fixed with Bill Andersons new release of Membership 0.7.6, so the local roles fix now works generally. There is still a platform dependent password problem with Membership though. It affects Solaris and HPUX (possibly other unices) but not Linux, and has to do with the crypt module not being loaded correctly on those platforms, causing passwords to be encrypted omly part of the time. Here is the fix for local roles: First, the User Source needs to support a getUserNames method. This can be done two ways: You can add a Python method to the LoginManager named getUserNames that takes a 'self' parameter, and has the following body: user_ids=self.UserSource.getPersistentItemIDs() names=[] for i in user_ids: names.append(i) return names Or you can add the following code directly to the PersistentUserSource.py file, preferably right befor or after the getUsers method: def getUserNames(self): user_ids=self.getPersistentItemIDs() names=[] for i in user_ids: names.append(i) return names (I hope this will get included in future versions of Membership) Next we need to provide a user_names method in the LoginManager. Currently I only have a Python method to drop in to the LM. it takes a 'self' parameter, and has the following body if it's calling another Python method: return self.getUserNames() Or if you're calling the method in PersistentUserSource.py, it has this body: return self.UserSource.getUserNames() Note that this user_names method has some disadvantages, and it needs to be generalized to deal with multiple User Sources that aren't all named UserSource, and that may not all implement the getUserNames interface, and that may have duplicate user names in them. Suggestions on how to do this would be welcome. I hope that this little set of instructions helps others who are trying to integrate LM with the existing security interface and local roles. Comments, testing, and improvements would be welcomed. HTH, Michael Bernstein. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Membership and Local Roles
Michael Bernstein wrote: > > I figured out how to get this to work (finally). > > In the acl_users LM, add the following two Python methods: Well, I discovered another problem: For some reason, when I create a PortalMembership member, add the two Python methods as I described earlier, and use the local roles screen to give them a role, they are subsequently authenticated regardless of whether their password is correct. Here's an example illustrating the bug: - Create a new folder /hello - Add a PortalMembership System - Add the user_names and getUsernames Python Methods - Use the joinForm to add a new member 'testuser' - Create a subfolder /hello/hello2 - Go to the hello2 local roles screen, and add a manager local role for testuser - Exit your browser, and restart it. - Go to /hello/hello2/manage - You are presented with the PortalMembership loginForm - login as testuser, but leave the password field blank - You will be authenticated anyway, and see the management interface Note that logging in using a non-existent username does not work, the only problem seems to be that it ignores the password. Any ideas? Michael Bernstein. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Membership and Local Roles
I figured out how to get this to work (finally). In the acl_users LM, add the following two Python methods: - getUserNames - Parameter List: self Body: user_ids=self.UserSource.getPersistentItemIDs() names=[] for i in user_ids: names.append(i) return names - user_names --- Parameter List: self Body: return self.getUserNames() And whatever users or members you've got that are stored persistently within the User Source will appear in the local roles screen (manage_listLocalRole). Preliminary tests show that local roles defined for LoginManager/Membership users work just as expected. Thanks to Bill Anderson for pointing out the difference between returning a list of objects and a list of names, which was the critical bug in the getUserNames method. Michael Bernstein. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Membership and Local Roles
Michael Bernstein wrote: > > Steve Alexander wrote: > > > > Michael Bernstein wrote: > > > > > I posted this to the PTK list on Friday, but didn't get any responses > > > over the weekend, so I'm reposting here. > > > > > > I feel that a barrier to Loginmanager and Membership becoming more > > > generally usable for site builders is it's current lack of support for > > > local roles. Specifically, members do not show up in the local roles > > > screen (manage_listLocalRoles) user list. > > > > > > Through the magic of grep and find, I think I've identified the relevant > > > sections of code in Zope that need to be duplicated in Membership (or > > > maybe in LoginManager). > > > > I think you've found out why local roles don't work. Congratulations on > > a successful code hunting mission :-) > > I *think* I've created a getUserNames python method that returns the > appropriate results: I have made some more progress (of a sort). I added another Python Method to the LoginManager called user_names : Parameter list: self Body: return self.getUserNames() As far as i can see, this should be functionally equivalent to the user_names method in User.py: def user_names(self): return self.getUserNames() But it doesn't work. On the bright side, I've managed to break the manage_listLocalRoles local roles screen. This is the first time that I've had any interaction with the local roles screen, so I guess now I now I'm messing with the right stuff. The error message I get is: Error Type: AttributeError Error Value: __hash__ Here is the traceback: Traceback (innermost last): File /usr/local/zope/2-2-0/lib/python/ZPublisher/Publish.py, line 222, in publish_module File /usr/local/zope/2-2-0/lib/python/ZPublisher/Publish.py, line 187, in publish File /usr/local/zope/2-2-0/lib/python/Zope/__init__.py, line 221, in zpublisher_exception_hook (Object: ElementWithAttributes) File /usr/local/zope/2-2-0/lib/python/ZPublisher/Publish.py, line 171, in publish File /usr/local/zope/2-2-0/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: manage_listLocalRoles) File /usr/local/zope/2-2-0/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: manage_listLocalRoles) File /usr/local/zope/2-2-0/lib/python/App/special_dtml.py, line 121, in __call__ (Object: manage_listLocalRoles) File /usr/local/zope/2-2-0/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: manage_listLocalRoles) File /usr/local/zope/2-2-0/lib/python/DocumentTemplate/DT_In.py, line 630, in renderwob (Object: get_valid_userids) File /usr/local/zope/2-2-0/lib/python/AccessControl/Role.py, line 360, in get_valid_userids (Object: ElementWithAttributes) AttributeError: (see above) Any ideas? Michael Bernstein. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Membership and Local Roles
Michael Bernstein wrote: > > Steve Alexander wrote: > > > > Michael Bernstein wrote: > > > > > I posted this to the PTK list on Friday, but didn't get any responses > > > over the weekend, so I'm reposting here. > > > > > > I feel that a barrier to Loginmanager and Membership becoming more > > > generally usable for site builders is it's current lack of support for > > > local roles. Specifically, members do not show up in the local roles > > > screen (manage_listLocalRoles) user list. > > > > > > Through the magic of grep and find, I think I've identified the relevant > > > sections of code in Zope that need to be duplicated in Membership (or > > > maybe in LoginManager). > > > > I think you've found out why local roles don't work. Congratulations on > > a successful code hunting mission :-) > > I *think* I've created a getUserNames python method that returns the > appropriate results: > > Parameter list: > self > > Body: > > user_ids=self.UserSource.getPersistentItemIDs() > > names=[] > for i in user_ids: > names.append(self.getItem(i)) > return names Returns a list of objects. > I basically copied the Membership getMembers python method for this. > > Guess what? It still doesn't work. > > I don't understand the differences between the code I pasted above and > the code on the original getUserNames method (from : > > def getUserNames(self): > """Return a list of usernames""" > names=self.data.keys() > names.sort() > return names Returns a list of usernames. > Can anyone tell me what I need to fix? Unfortunately, I cannot yet. -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Membership and Local Roles
Steve Alexander wrote: > > Michael Bernstein wrote: > > > I posted this to the PTK list on Friday, but didn't get any responses > > over the weekend, so I'm reposting here. > > > > I feel that a barrier to Loginmanager and Membership becoming more > > generally usable for site builders is it's current lack of support for > > local roles. Specifically, members do not show up in the local roles > > screen (manage_listLocalRoles) user list. > > > > Through the magic of grep and find, I think I've identified the relevant > > sections of code in Zope that need to be duplicated in Membership (or > > maybe in LoginManager). > > I think you've found out why local roles don't work. Congratulations on > a successful code hunting mission :-) I *think* I've created a getUserNames python method that returns the appropriate results: Parameter list: self Body: user_ids=self.UserSource.getPersistentItemIDs() names=[] for i in user_ids: names.append(self.getItem(i)) return names I basically copied the Membership getMembers python method for this. Guess what? It still doesn't work. I don't understand the differences between the code I pasted above and the code on the original getUserNames method (from : def getUserNames(self): """Return a list of usernames""" names=self.data.keys() names.sort() return names Can anyone tell me what I need to fix? Michael Bernstein. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Membership and Local Roles
Steve Alexander wrote: > > Michael Bernstein wrote: > > > I feel that a barrier to Loginmanager and Membership becoming more > > generally usable for site builders is it's current lack of support for > > local roles. Specifically, members do not show up in the local roles > > screen (manage_listLocalRoles) user list. > > > > Through the magic of grep and find, I think I've identified the relevant > > sections of code in Zope that need to be duplicated in Membership (or > > maybe in LoginManager). > > I don't know for sure, but I think the API for returning a list of users > has been omitted intentionally. A LoginManager instance might "contain" > (or rather, provide authentication to) thousands of users. Listing all > of these would arguably break the management interface. I think I saw at least one proposal on a UI change to better accomodate large numbers of users, and I agree that this is neccessary. But right now, I need LoginManager to hook into the current management interface infrastracture to be useful. In any case, many deployments with that many users will be using LM for authentication only, and won't be instantiating user objects for them. This means that you don't have any user objects to list in the Local Roles UI anyway. I have less than a hundred users stored persistently (as Members), and really need to get this working. > Perhaps what LoginManager (or Membership) needs is a way of stating, for > each user, whether they should appear in the local-roles list. This > could be a checkbox for each user, or it could be a method that gets > called to specify the users that appear, for example, using a regular > expression, or perhaps based on some quality of the user object. That sounds like an interesting proposal, and in the absence of a better one, I'll support it. > You should still be able to use local roles, even now, by using an > external method to add local roles where you need them, and explicitly > give the user id. You just can't select from the management interface. Some Products (most notably Tracker) seem to require the same interface that the local roles UI does, so this approach won't work for them. IANAC (I Am Not A Coder), except in the most rudimentary sense, and I'm just trying to get several existing products to integrate smoothly. This is the last remaining issue (although I'm sure I'll come up with new ones). Ideally, I would like a DTML or Python Method that I can drop into the LM and get this working. Can anybody help with this? Michael Bernstein. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Membership and Local Roles
Michael Bernstein wrote: > I posted this to the PTK list on Friday, but didn't get any responses > over the weekend, so I'm reposting here. > > I feel that a barrier to Loginmanager and Membership becoming more > generally usable for site builders is it's current lack of support for > local roles. Specifically, members do not show up in the local roles > screen (manage_listLocalRoles) user list. > > Through the magic of grep and find, I think I've identified the relevant > sections of code in Zope that need to be duplicated in Membership (or > maybe in LoginManager). I think you've found out why local roles don't work. Congratulations on a successful code hunting mission :-) I don't know for sure, but I think the API for returning a list of users has been omitted intentionally. A LoginManager instance might "contain" (or rather, provide authentication to) thousands of users. Listing all of these would arguably break the management interface. Perhaps what LoginManager (or Membership) needs is a way of stating, for each user, whether they should appear in the local-roles list. This could be a checkbox for each user, or it could be a method that gets called to specify the users that appear, for example, using a regular expression, or perhaps based on some quality of the user object. You should still be able to use local roles, even now, by using an external method to add local roles where you need them, and explicitly give the user id. You just can't select from the management interface. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Membership and Local Roles
I posted this to the PTK list on Friday, but didn't get any responses over the weekend, so I'm reposting here. I feel that a barrier to Loginmanager and Membership becoming more generally usable for site builders is it's current lack of support for local roles. Specifically, members do not show up in the local roles screen (manage_listLocalRoles) user list. Through the magic of grep and find, I think I've identified the relevant sections of code in Zope that need to be duplicated in Membership (or maybe in LoginManager). First I tracked down what seems to be the relevant section in /lib/python/AccessControl/Role.py, in the section labeled 'Local roles support': def get_valid_userids(self): item=self dict={} while 1: if hasattr(aq_base(item), 'acl_users') and \ hasattr(item.acl_users, 'user_names'): for name in item.acl_users.user_names(): dict[name]=1 if not hasattr(item, 'aq_parent'): break item=item.aq_parent keys=dict.keys() keys.sort() return keys Then I tracked down the user_names attribute to /lib/python/AccessControl/User.py, in the section labeled 'Private UserFolder object interface': def user_names(self): return self.getUserNames() Well, that wasn't very helpful. searching a bit more and I find: def getUserNames(self): """Return a list of usernames""" names=self.data.keys() names.sort() return names Experimenting a bit, I find that a normal user folder object responds to an /acl_users/user_names URL with an error, but does respond to an /acl_users/getUserNames URL with a list of user names. And now I'm stuck. I *think* that LoginManager needs a getUserNames method that cycles through the available User Sources and grabs a list of names from each, concatenating them into one big list to return. I'll settle for some code that has the User Source name hard-wired in, though. However, IANAC (I Am Not A Coder), and I don't know how to do this. If anyone can offer a cut-and-paste set of instructions to add this into LoginManager or Membership, it would be greatly appreciated. If I've missed something obvious or misunderstood the problem, please tell me that too. Thanks, Michael Bernstein. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )