-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Simon Neidhold wrote:
| hi,
|
| i'am using the cookiecrumbler-product (v1.2) in a zope-2.7.1 instance to
| get cookie-based login for my users.
| the approach worked well until now.
|
| today i've encountered a problem. users can authorize themselve, but
| their username isnt send regularly within the authentication-header.
| therefore all log-entrys in the Z2.log contain the username 'Anonymous
| User' not the actual authenticated one.
|
| i've searched the mailinglist for possible fixes, but the only result is
| that dirty hack:
|
http://mail.zope.org/pipermail/zope-collector-monitor/2003-February/001733.html
|
| it was posted 2 years ago, so i'am looking forward that someone knows an
| even better solution?
I am attaching the patch which Casey Duncan worked up to log the
cookie-based user somewhat more cleanly.
Tres.
- --
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation Zope Dealers http://www.zope.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCB6v0GqWXf00rNCgRAipeAKCBWwFdDlV2N0v9jhQDOYLMEv7WiQCghf4x
VB9jmCCJTJXwPpjorxOXs90=
=IJ+W
-END PGP SIGNATURE-
diff -I '$Id: cookie_auth_log.patch,v 1.1 2005/01/20 22:33:16 tseaver Exp $Revision:' --exclude CVS -c -r CMF-1.4.5/CMFCore/CookieCrumbler.py CMF-1.4.5+1/CMFCore/CookieCrumbler.py
*** CMF-1.4.5/CMFCore/CookieCrumbler.py 2004-04-23 17:11:33.0 -0400
--- CMF-1.4.5+1/CMFCore/CookieCrumbler.py 2004-07-14 15:32:01.0 -0400
***
*** 68,73
--- 68,75
'label':'Auto-login page ID'},
{'id':'logout_page', 'type': 'string', 'mode':'w',
'label':'Logout page ID'},
+{'id':'log_username', 'type':'boolean', 'mode': 'w',
+ 'label':'Log cookie auth username to access log'}
)
auth_cookie = '__ac'
***
*** 76,81
--- 78,84
persist_cookie = '__ac_persistent'
auto_login_page = 'login_form'
logout_page = 'logged_out'
+ log_username = 1
security.declarePrivate('delRequestVar')
def delRequestVar(self, req, name):
***
*** 102,107
--- 105,127
security.declarePrivate('defaultExpireAuthCookie')
def defaultExpireAuthCookie( self, resp, cookie_name ):
resp.expireCookie( cookie_name, path='/')
+
+ def _setAuthHeader(self, ac, request, response):
+ Set the auth headers for both the Zope and Medusa http request
+ objects.
+
+ request._auth = 'Basic %s' % ac
+ request._cookie_auth = 1
+ response._auth = 1
+ if self.log_username:
+ # Set the authorization header in the medusa http request
+ # so that the username can be logged to the Z2.log
+ try:
+ medusa_headers = response.stdout._request._header_cache
+ except AttributeError:
+ pass
+ else:
+ medusa_headers['authorization'] = request._auth
security.declarePrivate('modifyRequest')
def modifyRequest(self, req, resp):
***
*** 126,134
name = req[self.name_cookie]
pw = req[self.pw_cookie]
ac = encodestring('%s:%s' % (name, pw))
! req._auth = 'Basic %s' % ac
! req._cookie_auth = 1
! resp._auth = 1
if req.get(self.persist_cookie, 0):
# Persist the user name (but not the pw or session)
expires = (DateTime() + 365).toZone('GMT').rfc822()
--- 146,152
name = req[self.name_cookie]
pw = req[self.pw_cookie]
ac = encodestring('%s:%s' % (name, pw))
! self._setAuthHeader(ac, req, resp)
if req.get(self.persist_cookie, 0):
# Persist the user name (but not the pw or session)
expires = (DateTime() + 365).toZone('GMT').rfc822()
***
*** 146,154
elif req.has_key(self.auth_cookie):
# Copy __ac to the auth header.
ac = unquote(req[self.auth_cookie])
! req._auth = 'Basic %s' % ac
! req._cookie_auth = 1
! resp._auth = 1
self.delRequestVar(req, self.auth_cookie)
return ATTEMPT_RESUME
return ATTEMPT_NONE
--- 164,170
elif req.has_key(self.auth_cookie):
# Copy __ac to the auth header.
ac = unquote(req[self.auth_cookie])
! self._setAuthHeader(ac, req, resp)
self.delRequestVar(req, self.auth_cookie)
