Re: [Zope-dev] LDAPRoleTwiddler / BasicUserFolder
why is that code no longer referring to the real userfolder anymore? it should not make calls to authorize/identify/authorize on self but on the LDAPUserFolder it is using as the user source. jens On Thursday, Oct 17, 2002, at 03:39 US/Eastern, Dirk Datzert wrote: Hi all, I try to solve some problems with LDAPRoleTwiddler an inherited version from BasicUserFolder I currently use a validate()-function which I saw similar in BasicUserFolder and in LDAPRoleExtender (modifications from Shane) My problem is that if self.authorize(user, a, c, n, v, roles): return user.__of__(self) in validate() does not work, but return user.__of__(self) work better, but does not the same as the API (which I don't know) expect. Can anybody give a hint ? Regards, Dirk used python code: # This must stay accessible to everyone def validate( self, request, auth='', roles=_noroles ): The main engine v = request['PUBLISHED'] # the published object a, c, n, v = self._getobcontext(v, request) name, password = self.identify(auth) user = self.authenticate(name, password, request) if user is not None: if user is not None: # On my Test-System it works with authorize() # On my Integration-System it works only without authorize() #if self.authorize(user, a, c, n, v, roles): return user.__of__(self) # Could not twiddle a user. Defer to other user folders. return None def authenticate(self, name, password, request): super = self._emergency_user if name is None: return None if super and name == super.getUserName(): user = super else: user = self.getUser(name, password) if user is not None and user.authenticate(password, request): return user else: return None Dirk Datzert.vcf ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] LDAPRoleTwiddler / BasicUserFolder
Hi Jens, why is that code no longer referring to the real userfolder anymore? it should not make calls to authorize/identify/authorize on self but on the LDAPUserFolder it is using as the user source. self.identify() should be the same as if getLUF().identify() since LDAPUserFolder and LDAPRoleTwiddler both inherited this from BasicUserFolder. self.authenticate() does a self.getUser() which refers to getLUF().getUser() and does twiddling in one step and return the right user-object which the API would expect. I think that self.authorize(user,...) is better than self.getLUF().authorize(user,...) because the authorize does the following in 1st line: def authorize(self, user,... ): (inherited from BasicUserFolder) user = getattr(user, 'aq_base', user).__of__(self) this would be different for self.authorize, where self would be the LRT and self.getLUF().authorize() where self would be the LUF. The user is seen in 2 different contexts by .__of__(self) . Maybe I'm think too complicated, Your opinion ? Regards, Dirk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] LDAPRoleTwiddler / BasicUserFolder
being explicit is almost always better. you are relying on internal magic and it's not apparent from looking at the code you wrote. the validate implementation in the LDAPRoleExtender is the most correct one. shane worked on it for a while to make sure it does the most correct thing possible, and if anyone knows about the vagaries of acquisition/security and all its possible permutations it is him. jens On Thursday, Oct 17, 2002, at 08:37 US/Eastern, Dirk Datzert wrote: Hi Jens, why is that code no longer referring to the real userfolder anymore? it should not make calls to authorize/identify/authorize on self but on the LDAPUserFolder it is using as the user source. self.identify() should be the same as if getLUF().identify() since LDAPUserFolder and LDAPRoleTwiddler both inherited this from BasicUserFolder. self.authenticate() does a self.getUser() which refers to getLUF().getUser() and does twiddling in one step and return the right user-object which the API would expect. I think that self.authorize(user,...) is better than self.getLUF().authorize(user,...) because the authorize does the following in 1st line: def authorize(self, user,... ): (inherited from BasicUserFolder) user = getattr(user, 'aq_base', user).__of__(self) this would be different for self.authorize, where self would be the LRT and self.getLUF().authorize() where self would be the LUF. The user is seen in 2 different contexts by .__of__(self) . Maybe I'm think too complicated, Your opinion ? Regards, Dirk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] LDAPRoleTwiddler / BasicUserFolder
Jens Vagelpohl wrote: being explicit is almost always better. you are relying on internal magic and it's not apparent from looking at the code you wrote. the validate implementation in the LDAPRoleExtender is the most correct one. shane worked on it for a while to make sure it does the most correct thing possible, and if anyone knows about the vagaries of acquisition/security and all its possible permutations it is him. :-) Well, I tried to get it right, but I'm sure I could have missed something. On Thursday, Oct 17, 2002, at 08:37 US/Eastern, Dirk Datzert wrote: Hi Jens, why is that code no longer referring to the real userfolder anymore? it should not make calls to authorize/identify/authorize on self but on the LDAPUserFolder it is using as the user source. self.identify() should be the same as if getLUF().identify() since LDAPUserFolder and LDAPRoleTwiddler both inherited this from BasicUserFolder. self.authenticate() does a self.getUser() which refers to getLUF().getUser() and does twiddling in one step and return the right user-object which the API would expect. I think that self.authorize(user,...) is better than self.getLUF().authorize(user,...) because the authorize does the following in 1st line: def authorize(self, user,... ): (inherited from BasicUserFolder) user = getattr(user, 'aq_base', user).__of__(self) this would be different for self.authorize, where self would be the LRT and self.getLUF().authorize() where self would be the LUF. The user is seen in 2 different contexts by .__of__(self) . Maybe I'm think too complicated, Your opinion ? The idea behind LDAPRoleExtender is to give the user global roles if the user accesses a context where extra roles would be given. In order to grant global roles, the context of the user is always the LDAPUserFolder, not the role extender. Role computation applied this way has a nasty side effect, unfortunately: if the user is allowed to write any kind of script, the user can access anything protected by the supposedly local roles. Don't ever grant the Manager role using LDAPRoleExtender unless you fully trust the user. I don't know anything about LDAPRoleTwiddler. But I would recommend you install the VerboseSecurity product, which will tell you a lot more about the Unauthorized error. And if you're interested, I know how we can make LDAPRoleExtender much safer, based on conversations with Jens. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] LDAPRoleTwiddler / BasicUserFolder
Hi Shane, thanks for answering. Maybe I'm think too complicated, Your opinion ? The idea behind LDAPRoleExtender is to give the user global roles if the I don't know anything about LDAPRoleTwiddler. But I would recommend you install the VerboseSecurity product, which will tell you a lot more about the Unauthorized error. The LDAPRoleTwiddler (LRT) should act as a LDAPUserFolder (LUF). He uses a LUF or a LRT in upper directory to retrieve the user data and changes the roles he got there depending on group-to-role mapping. example: user has following LDAP groups dir1_VISITOR, dir2_AUTHOR /acl_users (LUF) /dir1/acl_users (LRT) map dir1_VISITOR to role Visitor /dir2/acl_users (LRT) map dir2_AUTHOR to role Author the user has the roles Anonymous,Authenticated and Visitor in dir1. the user has the roles Anonymous,Authenticated and Author in dir2. the user has the roles Anonymous,Authenticated in alle other dirs. And if you're interested, I know how we can make LDAPRoleExtender much safer, based on conversations with Jens. Sure I'm interessted. Regards, Dirk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] LDAPRoleTwiddler / BasicUserFolder
if I access /dir2/index_html comes the user object from LRT2 ?
what if I access in /dir2/index_html aq_parent.dir1.index_html.
Will the AUTHENTICATED_USER change ? will the user object come from LRT2
?
No, it will not. Only one user ever applies to a request.
And that exactly what is my problem:
AUTHENTICATED_USER.has_permission('View', /dir1/index_html) always
returns 0,
if AUTHENTICATED_USER comes from /acl_users and doesn't take care about
the local roles coming out of /dir1/acl_users .
What is about the strategy I was talking about getRolesInContext ?
Dirk
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
