Re: [Zope-dev] PAS CookieAuthHelper and insufficient privileges
On 13 October 2010 17:16, Tres Seaver wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 10/11/2010 08:21 PM, Laurence Rowe wrote: >> I'm currently implementing single sign on across Plone sites but have >> run into a bit of an issue with the CookieAuthHelper. >> >> Unauthorized accesses are redirected to its login_path attribute even >> when a user is already logged in. Plone works around this with a >> require_login script that traverses to insufficient_privileges (rather >> than login_form) when the user is not anonymous. >> http://dev.plone.org/plone/browser/Plone/trunk/Products/CMFPlone/skins/plone_login/require_login.py >> >> I'd like to avoid having two redirects (one to require_login and then >> one to the remote login page). >> >> One option (as suggested in require_login.py) would be to have >> CookieAuthHelper traverse rather than redirect to the login_path so >> that sites could override the behaviour, though they would then >> presumably need to duplicate the functionality currently in >> CookieAuthHelper.unauthorized (which I must admit to only barely >> understanding...) >> http://zope3.pov.lt/trac/browser/Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/CookieAuthHelper.py >> >> Instead, it would seem to make sense to move this functionality login >> / insufficient privileges functionality into the CookieAuthHelp >> itself. I could add an insufficient_privs_path and redirect there >> instead of login_path when a user is already authorized. >> >> Yet another option would be to let logged in unauthorized to percolate >> up and implement that page with an error view. >> >> Any opinions? I'm leaning towards adding an insufficient_privs_path as >> it seems simplest and least invasive. (When not set it would just use >> login_path as normal). > > Please do this kind of disruptive change in a *new* plugin, perhaps > subclassed from the existing one. The whole point of plugins in the > first place was to allow for folks with different needs to handle them > by replacement. I'd be interested to hear how other PAS users deal with this issue - showing an insufficient privileges page rather than a login form to already logged in users seems a common requirement. Would you consider adding an optional insufficient_privs_path to CookieAuthHelper a disruptive change? (Assuming it defaulted to the current behaviour when set to a default ''.) Making plone.session's SessionPlugin subclass CookieAuthHelper rather than work in concert with it would certainly be an option if that was thought preferable. (Keeping this thread on this list rather than starting a new one on Zope-PAS. Is the Zope-PAS list still alive or does it come under the list rationalization that's been discussed? Two comments from Wichert in the last year on checkin messages, no discussion.) Laurence ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PAS CookieAuthHelper and insufficient privileges
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/11/2010 08:21 PM, Laurence Rowe wrote: > I'm currently implementing single sign on across Plone sites but have > run into a bit of an issue with the CookieAuthHelper. > > Unauthorized accesses are redirected to its login_path attribute even > when a user is already logged in. Plone works around this with a > require_login script that traverses to insufficient_privileges (rather > than login_form) when the user is not anonymous. > http://dev.plone.org/plone/browser/Plone/trunk/Products/CMFPlone/skins/plone_login/require_login.py > > I'd like to avoid having two redirects (one to require_login and then > one to the remote login page). > > One option (as suggested in require_login.py) would be to have > CookieAuthHelper traverse rather than redirect to the login_path so > that sites could override the behaviour, though they would then > presumably need to duplicate the functionality currently in > CookieAuthHelper.unauthorized (which I must admit to only barely > understanding...) > http://zope3.pov.lt/trac/browser/Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/CookieAuthHelper.py > > Instead, it would seem to make sense to move this functionality login > / insufficient privileges functionality into the CookieAuthHelp > itself. I could add an insufficient_privs_path and redirect there > instead of login_path when a user is already authorized. > > Yet another option would be to let logged in unauthorized to percolate > up and implement that page with an error view. > > Any opinions? I'm leaning towards adding an insufficient_privs_path as > it seems simplest and least invasive. (When not set it would just use > login_path as normal). Please do this kind of disruptive change in a *new* plugin, perhaps subclassed from the existing one. The whole point of plugins in the first place was to allow for folks with different needs to handle them by replacement. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAky123AACgkQ+gerLs4ltQ7L+wCZASZR/p9/K/0W+/Yski/6nMBp LkQAnj6nCfaq+1oTXK4JRgxvqxpxPE5n =Fh3T -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PAS CookieAuthHelper and insufficient privileges
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/11/2010 08:21 PM, Laurence Rowe wrote: > I'm currently implementing single sign on across Plone sites but have > run into a bit of an issue with the CookieAuthHelper. > > Unauthorized accesses are redirected to its login_path attribute even > when a user is already logged in. Plone works around this with a > require_login script that traverses to insufficient_privileges (rather > than login_form) when the user is not anonymous. > http://dev.plone.org/plone/browser/Plone/trunk/Products/CMFPlone/skins/plone_login/require_login.py > > I'd like to avoid having two redirects (one to require_login and then > one to the remote login page). > > One option (as suggested in require_login.py) would be to have > CookieAuthHelper traverse rather than redirect to the login_path so > that sites could override the behaviour, though they would then > presumably need to duplicate the functionality currently in > CookieAuthHelper.unauthorized (which I must admit to only barely > understanding...) > http://zope3.pov.lt/trac/browser/Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/CookieAuthHelper.py > > Instead, it would seem to make sense to move this functionality login > / insufficient privileges functionality into the CookieAuthHelp > itself. I could add an insufficient_privs_path and redirect there > instead of login_path when a user is already authorized. > > Yet another option would be to let logged in unauthorized to percolate > up and implement that page with an error view. > > Any opinions? I'm leaning towards adding an insufficient_privs_path as > it seems simplest and least invasive. (When not set it would just use > login_path as normal). zope-dev@zope.org is the wrong mailing list for PAS-related questions: please keep them on zope-...@zope.org: https://mail.zope.org/mailman/listinfo/zope-pas Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAky12sIACgkQ+gerLs4ltQ6kMgCeK7BdQ7yQryspLaYlT9O8ljWS ntYAn3qwCRG6V9sW8ihFOLReyIYREkZ5 =C1EF -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PAS CookieAuthHelper and insufficient privileges
Am 12.10.2010, 02:21 Uhr, schrieb Laurence Rowe : > Yet another option would be to let logged in unauthorized to percolate > up and implement that page with an error view. > Any opinions? I'm leaning towards adding an insufficient_privs_path as > it seems simplest and least invasive. (When not set it would just use > login_path as normal). I don't know whether this is relevant but Yuppie's refactoring of CookieCrumbler (proposal 20th April 2010) for the CMF uses Exception views and they work very well. Charlie -- Charlie Clark Managing Director Clark Consulting & Research German Office Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-600-3657 Mobile: +49-178-782-6226 ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PAS CookieAuthHelper and insufficient privileges
On 12 October 2010 08:39, Wichert Akkerman wrote: > On 10/12/10 02:21 , Laurence Rowe wrote: >> >> I'm currently implementing single sign on across Plone sites but have >> run into a bit of an issue with the CookieAuthHelper. >> >> Unauthorized accesses are redirected to its login_path attribute even >> when a user is already logged in. Plone works around this with a >> require_login script that traverses to insufficient_privileges (rather >> than login_form) when the user is not anonymous. >> >> http://dev.plone.org/plone/browser/Plone/trunk/Products/CMFPlone/skins/plone_login/require_login.py > > The result is still nasty since it means the unauthorized error will always > consider the user to be unauthenticated. I've implemented a workaround in > NuPlone to fix that, see > http://svn.plone.org/svn/collective/NuPlone/trunk/plonetheme/nuplone/skin/error.py > . Perhaps something based on that will work for you as well. That doesn't seem to be the case when I dropped a pdb into CookieAuthHelper.unauthorized: > /data/devel/plone/4.1/src/Products.PluggableAuthService/Products/PluggableAuthService/plugins/CookieAuthHelper.py(184)unauthorized() -> import pdb; pdb.set_trace() (Pdb) from AccessControl.SecurityManagement import getSecurityManager (Pdb) getSecurityManager().getUser() Laurence ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PAS CookieAuthHelper and insufficient privileges
On 10/12/10 02:21 , Laurence Rowe wrote: > I'm currently implementing single sign on across Plone sites but have > run into a bit of an issue with the CookieAuthHelper. > > Unauthorized accesses are redirected to its login_path attribute even > when a user is already logged in. Plone works around this with a > require_login script that traverses to insufficient_privileges (rather > than login_form) when the user is not anonymous. > http://dev.plone.org/plone/browser/Plone/trunk/Products/CMFPlone/skins/plone_login/require_login.py The result is still nasty since it means the unauthorized error will always consider the user to be unauthenticated. I've implemented a workaround in NuPlone to fix that, see http://svn.plone.org/svn/collective/NuPlone/trunk/plonetheme/nuplone/skin/error.py . Perhaps something based on that will work for you as well. Wichert. ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] PAS CookieAuthHelper and insufficient privileges
I'm currently implementing single sign on across Plone sites but have run into a bit of an issue with the CookieAuthHelper. Unauthorized accesses are redirected to its login_path attribute even when a user is already logged in. Plone works around this with a require_login script that traverses to insufficient_privileges (rather than login_form) when the user is not anonymous. http://dev.plone.org/plone/browser/Plone/trunk/Products/CMFPlone/skins/plone_login/require_login.py I'd like to avoid having two redirects (one to require_login and then one to the remote login page). One option (as suggested in require_login.py) would be to have CookieAuthHelper traverse rather than redirect to the login_path so that sites could override the behaviour, though they would then presumably need to duplicate the functionality currently in CookieAuthHelper.unauthorized (which I must admit to only barely understanding...) http://zope3.pov.lt/trac/browser/Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/CookieAuthHelper.py Instead, it would seem to make sense to move this functionality login / insufficient privileges functionality into the CookieAuthHelp itself. I could add an insufficient_privs_path and redirect there instead of login_path when a user is already authorized. Yet another option would be to let logged in unauthorized to percolate up and implement that page with an error view. Any opinions? I'm leaning towards adding an insufficient_privs_path as it seems simplest and least invasive. (When not set it would just use login_path as normal). Laurence ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
