Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
vio, for your situation the simplest thing would be to use the CookieUserFolder (see http://www.dataflake.org/software/cookieuserfolder) which is as simple as the standard user folder and adds cookie-capability and customizable login and logout forms. no need to get all tripped up in zpatterns or user auth sources or other confusing stuff. jens On Thursday, January 24, 2002, at 01:35 , vio wrote: * Leonardo Rochael Almeida [EMAIL PROTECTED] [020124 00:03]: Hi vio, Pardon our insistence in helping you out, but you asked to be told if something in your description smelt rotten and, besides the fact that yes, you are reinventing the wheel (and reinventing it square, by the way :-), there isn't a single thing in the scenario you described below that isn't possible with plain vanilla Zope (ok, plain vanilla Zope is an oxymoron. There is nothing 'plain' about an out-of-the-box Zope, but I digress :-), you don't even need CoreSessionTracking as far as I understand it! First, thanks again for 'insisting' in helping me out. Really appreciate it! Ok, you asked what I really want, and it's very 'plain vanilla' stuff. In a sentence: to log users from a custom dtml page. Period. In more than one sentence: I want to 'integrate' the login process and 'user management' into my own product, give it my own product's 'look and feel' , to create a consistent GUI and user experience. Idealy, I'd prefer just using plain Zope, no additional 3rd party products. But I really would prefer to present the user with a nicely customised login page instead of the standard Zope dialog. Well, that's about it. Looking for a solution here has been a great learning experience into Zope security, first of all. Now all your suggestions are pointing out towards using an existing product, 2 names flying around: LoginManager and exUserFolder. LoginManager would seem more appealing, as some comments I've read would suggest that it's very customizable. My problem with that is that Zope won't 'chew' it properly, spits it out with ImportError: can't import name 'expr_globals' in Products/ZPatterns/Expressions.py line 38. Indeed, after browsing the sources, no trace of 'expr_globals' anywhere. Deprecated? Any idea what this was replaced with (by the way, in case you' re wondering, I'm running on Zope 2.4.1 with python 2.1, while on the other hand LoginManager-0-8-8b1 with ZPatterns-0-4-3b1 and PlugIns-0-4-3b1 are trying to earn a living on my hard drive). exUserFolder installed ok, so I'll give it a test drive also. But some hints on debugging LoginMgr would be also appreciated. Cheers, Vio ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
Excellent! Precisely what I'm looking for. Thanks! Vio * Jens Vagelpohl [EMAIL PROTECTED] [020124 10:46]: vio, for your situation the simplest thing would be to use the CookieUserFolder (see http://www.dataflake.org/software/cookieuserfolder) which is as simple as the standard user folder and adds cookie-capability and customizable login and logout forms. no need to get all tripped up in zpatterns or user auth sources or other confusing stuff. jens ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
vio, make sure you read the README so you don't lock youself out if the login form does not have the correct input fields. jens On Thursday, January 24, 2002, at 10:55 , vio wrote: Excellent! Precisely what I'm looking for. Thanks! Vio * Jens Vagelpohl [EMAIL PROTECTED] [020124 10:46]: vio, for your situation the simplest thing would be to use the CookieUserFolder (see http://www.dataflake.org/software/cookieuserfolder) which is as simple as the standard user folder and adds cookie-capability and customizable login and logout forms. no need to get all tripped up in zpatterns or user auth sources or other confusing stuff. jens ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
--On Thursday, January 24, 2002 01:35:56 AM -0500 vio [EMAIL PROTECTED] wrote: exUserFolder installed ok, so I'll give it a test drive also. But some hints on debugging LoginMgr would be also appreciated. Personally, I'd stay away from LoginManager. It depends on ZPatterns, a very impressive, very complex layer whose author has moved on to other things. There are a group of users supporting it to some extent with occasional help from the original authors, but I just see its future on new versions of Zope as shakier and shakier. For example, Zope 2.4 support requires using the latest CVS patches (last I looked, about a month ago). We are currently using LoginManager, but will probably convert to exUserFolder in the next month or two as part of moving our member data from ZODB to PostgreSQL. Dan Pierson ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
Hi Vio, By the contents of your message, you seem to be a little off track w.r.t. the way authentication works between the browser and Zope. By now you seem to have discovered that the browser sends the user credentials whenever it fetches a page. If you aren't using a custom user folder that uses cookies, then you're most likely using basic authentication (which is likely since you don't want the overhead of a product). To know for sure answer this question: when you are anonymous and you want to access a forbiden area, does the browser-standard-login-popup-window shows up? If yes, then there simply is no way you can use a few placed calls to the Zope machinery to convince the browser that it needs to switch identities because you're talking to Zope, not to the browser. Zope cannot tell the browser stop pretending you are anonymous and start pretending you're John. The only thing Zope can tell the browser is This user you are using is not authorized, in which case the browser will ask the user for another login/password combo, using it's own standard login popup window. On the other hand, if you are using a user-folder product (such as exUserFolder or LoginManager) and it is configured for cookie login, THEN you might be able to change the user persistently by changing the cookie. Note, however, that in most cases the cookie contains either a valid user/password combo or a key to a hash table that has the user/password combo. So, in order to tell the browser to pretend to be someone else, you'll probably have to provide the password that goes with the user, which will be impossible if the passwords are stored encrypted. In all cases, it will require knowledge of the format of the cookie that is exclusive to each user-folder and might change in the next version of the user-folder product. As I said, there is no way that a few placed calls to the Zope machinery will get what you want, but this is because it is Web, not because it is Zope. Your best bet is still trying to modify an existing, cookie-using, user-folder product, so that you can extend it to have calls that will give you the cookie that you should put in the browser to change the user identity. It's simply TOO HARD to not get involved with user-folders if what you're trying to do deals with user authentication. Cheers, Leo PS: I.M.B.O. (B. as in biased), exUserFolder is the most maleable of them all and the easiest to understand, but it is hard to understand ANY user-folder product if you don't understand Web protocols and/or Zope authentication machinery. On Wed, 2002-01-23 at 19:28, vio wrote: [...] all I am looking for is for the few Zope incantations to 'switch' user identities, and I can take care of the rest. Now I found how to make this switch, using AccessControl.SecurityManagement.newSecurityManager(None, myUser) only this switch doesn't 'persist'. What is my problem then: at this point, to change the data in the cookie Zope lays on the browser, so it points to the new 'switched' user. In other words, make a 'persistent' switch. Furthermore, I don't really need an entire product to do this. Just a few well placed calls to Zope machinery seems to do the trick. Less overhead as a bonus. -- Ideas don't stay in some minds very long because they don't like solitary confinement. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
First, thanks for your time on this thread, everybody!
* Leonardo Rochael Almeida [EMAIL PROTECTED] [020123 19:42]:
Hi Vio,
By the contents of your message, you seem to be a little off track
w.r.t. the way authentication works between the browser and Zope.
By now you seem to have discovered that the browser sends the user
credentials whenever it fetches a page. If you aren't using a custom
user folder that uses cookies, then you're most likely using basic
authentication (which is likely since you don't want the overhead of a
product). To know for sure answer this question: when you are anonymous
and you want to access a forbiden area, does the
browser-standard-login-popup-window shows up?
yes.
If yes, then there simply is no way you can use a few placed calls to
the Zope machinery to convince the browser that it needs to switch
identities because you're talking to Zope, not to the browser. Zope
cannot tell the browser stop pretending you are anonymous and start
pretending you're John. The only thing Zope can tell the browser is
This user you are using is not authorized, in which case the browser
will ask the user for another login/password combo, using it's own
standard login popup window.
Ok, maybe I didn't express myself very clearly in my past messages.
Imagine the following simple scenario, which makes heavy use of
'CoreSessionTracking', by the way:
1. In my 'standard_html_header' I put a dtml routine who checks for a
specific session variable, let's call it 'user_id'. If it isn't there, or
there is no session running, it redirects user to my custom 'loginForm'.
dtml-if sessionData.get('user_id')
get the beef
dtml-else
redirect to loginForm
2. The manage_login() who processes the 'loginForm' data, validates user
credentials against some internal list. Actually, for now I'm using a
standard Users_folder object, but I am tempted to swich to something even
simpler, like a dictionary or a list. I hope you follow me up to now.
In that list, each user_id has also associated with it a list of roles.
So here we have a central list of 'authorised' users (or a UsersFolder):
clean_users.append([user_id, password, list_of_roles])
or
Users_folder._addUser(name,password,confirm,roles,domains)
Session-storing the credentials: manage_login() stores this related data
as session variables:
sessionData.set('user_id',user_id)
sessionData.set('user_roles', list_of_roles)
3. Make all user-visible objects in my product 'Public', knowing that
they are not 'really' public: any user without a 'user_id' session variable
will get redirected to my custom login page 'no matter what'. But Zope's
own security machinery is out of the loop on this one (simply by-passed).
4. The little routine in 'standard_html_header' will take care of all dtml.
But I will need to call a similar validating method (or specialized instance)
before running any 'executable' code:
by 'executable' I mean code who Creates, Destroys, Modifies restricted objects,
or modifies my custom security settings. This code simply compares content of
'user_roles' session variable with 'my_object_permissions' object attribute
(which can be acquired).
Only if there's a match, the 'executable' python code is allowed to run.
An alternative here would have been to protect all objects with a
Zope permission (instead of declaring everything public),
then switch to a user with that permission for the duration of this
transaction with:
SecurityManagement.newSecurityManager(None, UserWithPermission)
This is what I ment with a few well placed calls to the Zope machinery.
Of course I know I'm not talking to the browser, which is but a dumb client
with cookies (and no milk). So it's not the browser who tells Zope I'm
doctor Zoidberg, but my own code (which acts like a proxy).
In my view, this scenario implements Zope's security core 'principles' of
'Roles' matching 'Permissions', but using CoreSessionTracking. Writing this
isn't as complicated as it sounds, only cumbersome to paste code into
existing python classes, and edit many dtml pages to add a 'myPermissions'
input field to all objects (or at least to the top objects in my hierarchy,
and let those custom permissions get acquired from lower down).
A full evening's work, for sure. (I think all hackers are optimists by nature)
My alternative being to study and understand an existing cookie-based
user-folder product, and make it play nice with my own code. Having tried the
latter for the last week without satisfactory results (again, only my fault if
I don't understand totally how things work), I must admit that giving a shot
at the former scenario sounds quite tempting. Let's see ...
But many thanks for all your help and suggestion, which has been very
appreciated and useful. If you smell something rotten in my stuff here,
please do let me know (besides the fact that I am trying to
Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
Hi vio,
Pardon our insistence in helping you out, but you asked to be told if
something in your description smelt rotten and, besides the fact that
yes, you are reinventing the wheel (and reinventing it square, by the
way :-), there isn't a single thing in the scenario you described below
that isn't possible with plain vanilla Zope (ok, plain vanilla Zope is
an oxymoron. There is nothing 'plain' about an out-of-the-box Zope, but
I digress :-), you don't even need CoreSessionTracking as far as I
understand it!
What part of your description below you think you can't do in Zope? If
you mean 'to change the user identity transparently throughout a certain
sequence of clicks', you probably don't want it for it's own sake. If I
read you correctly, you want it so that the user, while holding the new
identity, has permissions it wouldn't have before (and won't have after)
holding the new identity. In this case, you needn't look any further
than 'Proxy Roles'. Proxy roles work sort-of like setuid in unix, in
which you grant different permissions to a user that can view/run a
ceirtain object/file.
When you give a method one or more proxy roles, the user that can
view/call it assumes these roles instead of his own. That means he has
the permissions these proxy roles have, instead of the permissions his
own roles would give him (which means proxy-roles can enhance as well as
reduce permissions). This means proxy roles only work for that method
that is being viewed/called (and other methods called from it as well),
but you can give proxy roles to as many methods as you want, and you can
call a proxy-roled (is that a word? :-) method from other methods and
all the actions that are taken by this proxy-roled method act as if the
user viewing it had the new set of roles.
I'm not sure if that's what you want to achieve, but if it isn't, then
pray tell us what you really wish to accomplish in the end, not just the
things you think you need to do in order to achieve it. I bet there is a
very simple and Zopish way of doing what you want. Maybe you are just
looking at the problem under the wrong light.
Regards, Leo
On Thu, 2002-01-24 at 00:52, vio wrote:
[...]
Imagine the following simple scenario, which makes heavy use of
'CoreSessionTracking', by the way:
1. In my 'standard_html_header' I put a dtml routine who checks for a
specific session variable, let's call it 'user_id'. If it isn't there, or
there is no session running, it redirects user to my custom 'loginForm'.
dtml-if sessionData.get('user_id')
get the beef
dtml-else
redirect to loginForm
2. The manage_login() who processes the 'loginForm' data, validates user
credentials against some internal list. Actually, for now I'm using a
standard Users_folder object, but I am tempted to swich to something even
simpler, like a dictionary or a list. I hope you follow me up to now.
In that list, each user_id has also associated with it a list of roles.
So here we have a central list of 'authorised' users (or a UsersFolder):
clean_users.append([user_id, password, list_of_roles])
or
Users_folder._addUser(name,password,confirm,roles,domains)
Session-storing the credentials: manage_login() stores this related data
as session variables:
sessionData.set('user_id',user_id)
sessionData.set('user_roles', list_of_roles)
3. Make all user-visible objects in my product 'Public', knowing that
they are not 'really' public: any user without a 'user_id' session variable
will get redirected to my custom login page 'no matter what'. But Zope's
own security machinery is out of the loop on this one (simply by-passed).
4. The little routine in 'standard_html_header' will take care of all dtml.
But I will need to call a similar validating method (or specialized instance)
before running any 'executable' code:
by 'executable' I mean code who Creates, Destroys, Modifies restricted objects,
or modifies my custom security settings. This code simply compares content of
'user_roles' session variable with 'my_object_permissions' object attribute
(which can be acquired).
Only if there's a match, the 'executable' python code is allowed to run.
An alternative here would have been to protect all objects with a
Zope permission (instead of declaring everything public),
then switch to a user with that permission for the duration of this
transaction with:
SecurityManagement.newSecurityManager(None, UserWithPermission)
This is what I ment with a few well placed calls to the Zope machinery.
Of course I know I'm not talking to the browser, which is but a dumb client
with cookies (and no milk). So it's not the browser who tells Zope I'm
doctor Zoidberg, but my own code (which acts like a proxy).
In my view, this scenario implements Zope's security core 'principles' of
'Roles' matching 'Permissions', but using CoreSessionTracking. Writing this
isn't as complicated as it
Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
All the user folders can be confusing, but I think in the long run,
you'd be better off if you grabbed one and figured out how it worked.
I've used LoginManager, and basically, I create a folder for my project,
don't put the standard acl_users in it, because you want to create an
object called acl_users, of type Login Manager.
There's a method in there called userAuthenticate. When the security
mechanism kicks in (on every web page hit), if this returns a 1, then
all is well, if it returns a 0, then LoginManager will cause the
loginForm method to be run, which is where you would put your custom
login page. (see the loginForm method that comes with Login Manager).
Here's what the userAuthenticate method would look like for your scenario:
dtml-if REQUEST.cookies.has_key('user_id')
dtml-return _.int('1')
/dtml-if
dtml-return _.int('0')
Of course that's too easy, and you'd probably want to check the
username/password against stored data. I generally use a relational
database... but that's another story. You can store the user data any
way you like and just use these methods to validate it.
You will probably also need to look at the userRoles method.
The security mechanism will give you much more control over access to
your objects.
-Paul
vio wrote:
First, thanks for your time on this thread, everybody!
* Leonardo Rochael Almeida [EMAIL PROTECTED] [020123 19:42]:
Hi Vio,
By the contents of your message, you seem to be a little off track
w.r.t. the way authentication works between the browser and Zope.
By now you seem to have discovered that the browser sends the user
credentials whenever it fetches a page. If you aren't using a custom
user folder that uses cookies, then you're most likely using basic
authentication (which is likely since you don't want the overhead of a
product). To know for sure answer this question: when you are anonymous
and you want to access a forbiden area, does the
browser-standard-login-popup-window shows up?
yes.
If yes, then there simply is no way you can use a few placed calls to
the Zope machinery to convince the browser that it needs to switch
identities because you're talking to Zope, not to the browser. Zope
cannot tell the browser stop pretending you are anonymous and start
pretending you're John. The only thing Zope can tell the browser is
This user you are using is not authorized, in which case the browser
will ask the user for another login/password combo, using it's own
standard login popup window.
Ok, maybe I didn't express myself very clearly in my past messages.
Imagine the following simple scenario, which makes heavy use of
'CoreSessionTracking', by the way:
1. In my 'standard_html_header' I put a dtml routine who checks for a
specific session variable, let's call it 'user_id'. If it isn't there, or
there is no session running, it redirects user to my custom 'loginForm'.
dtml-if sessionData.get('user_id')
get the beef
dtml-else
redirect to loginForm
2. The manage_login() who processes the 'loginForm' data, validates user
credentials against some internal list. Actually, for now I'm using a
standard Users_folder object, but I am tempted to swich to something even
simpler, like a dictionary or a list. I hope you follow me up to now.
In that list, each user_id has also associated with it a list of roles.
So here we have a central list of 'authorised' users (or a UsersFolder):
clean_users.append([user_id, password, list_of_roles])
or
Users_folder._addUser(name,password,confirm,roles,domains)
Session-storing the credentials: manage_login() stores this related data
as session variables:
sessionData.set('user_id',user_id)
sessionData.set('user_roles', list_of_roles)
3. Make all user-visible objects in my product 'Public', knowing that
they are not 'really' public: any user without a 'user_id' session variable
will get redirected to my custom login page 'no matter what'. But Zope's
own security machinery is out of the loop on this one (simply by-passed).
4. The little routine in 'standard_html_header' will take care of all dtml.
But I will need to call a similar validating method (or specialized instance)
before running any 'executable' code:
by 'executable' I mean code who Creates, Destroys, Modifies restricted objects,
or modifies my custom security settings. This code simply compares content of
'user_roles' session variable with 'my_object_permissions' object attribute
(which can be acquired).
Only if there's a match, the 'executable' python code is allowed to run.
An alternative here would have been to protect all objects with a
Zope permission (instead of declaring everything public),
then switch to a user with that permission for the duration of this
transaction with:
SecurityManagement.newSecurityManager(None, UserWithPermission)
This is what I ment with a few well placed calls to the Zope machinery.
Of
Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
* Leonardo Rochael Almeida [EMAIL PROTECTED] [020124 00:03]: Hi vio, Pardon our insistence in helping you out, but you asked to be told if something in your description smelt rotten and, besides the fact that yes, you are reinventing the wheel (and reinventing it square, by the way :-), there isn't a single thing in the scenario you described below that isn't possible with plain vanilla Zope (ok, plain vanilla Zope is an oxymoron. There is nothing 'plain' about an out-of-the-box Zope, but I digress :-), you don't even need CoreSessionTracking as far as I understand it! First, thanks again for 'insisting' in helping me out. Really appreciate it! Ok, you asked what I really want, and it's very 'plain vanilla' stuff. In a sentence: to log users from a custom dtml page. Period. In more than one sentence: I want to 'integrate' the login process and 'user management' into my own product, give it my own product's 'look and feel', to create a consistent GUI and user experience. Idealy, I'd prefer just using plain Zope, no additional 3rd party products. But I really would prefer to present the user with a nicely customised login page instead of the standard Zope dialog. Well, that's about it. Looking for a solution here has been a great learning experience into Zope security, first of all. Now all your suggestions are pointing out towards using an existing product, 2 names flying around: LoginManager and exUserFolder. LoginManager would seem more appealing, as some comments I've read would suggest that it's very customizable. My problem with that is that Zope won't 'chew' it properly, spits it out with ImportError: can't import name 'expr_globals' in Products/ZPatterns/Expressions.py line 38. Indeed, after browsing the sources, no trace of 'expr_globals' anywhere. Deprecated? Any idea what this was replaced with (by the way, in case you're wondering, I'm running on Zope 2.4.1 with python 2.1, while on the other hand LoginManager-0-8-8b1 with ZPatterns-0-4-3b1 and PlugIns-0-4-3b1 are trying to earn a living on my hard drive). exUserFolder installed ok, so I'll give it a test drive also. But some hints on debugging LoginMgr would be also appreciated. Cheers, Vio ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
the user gets modified automatically, provided you use common login-methodology and a user folder that supports it. you don't set the user manually. jens On Monday, January 21, 2002, at 12:35 , vio wrote: Hi, Does anybody know what is the method call to modify the AUTHENTICATED_USER attribute? I am unable to trace where REQUEST feeds data for its AUTHENTICATED_USER attribute. Some context to my question: I am using a custom method to authenticate users coming to my site. So when the user logs in, he is 'Anonymous User' (from call: AUTHENTICATED_USER.getUserName()). But after his login name and password checked ok, how do I switch his identity in Zope from 'Anonymous User' to his/her new identity? What I am looking for is that next time I call 'REQUEST.AUTHENTICATED_USER.getUserName()' to get the new UserName he just logged in as, not 'Anonymous User' again. Examining CookieCrumbler.py source, this authentication product uses the 'before_publishing_traverse hook' mechanism. But isn't there a simpler way to do this than modifying REQUEST.RESPONSE at each traversal? Sounds like a lot of overhead. Vio ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
the user folder does this switch. it's not something you should do
manually.
by the way, since replying to your previous email to me bounced back
([EMAIL PROTECTED] is unknown) i'm uncluding that here:
**
vio,
i'm not sure what user folder products you were looking at, the
CookieCrumbler is *not* a user folder.
normal user folders do not use BeforeTraverse.
look at the source for the stock user folder
(lib/python/AccessControl.User.py), it is pretty much the simplest
implementation around.
jens
On Monday, January 21, 2002, at 09:23 , [EMAIL PROTECTED] wrote:
But setting the user 'programmatically' is precisely the point of a custom
login method. If I can't set the user programatically inside my code, what'
s the point in a 'custom' login method then? Anyway, I know it'
s feasable, because all the other 'customised' login products are doing
precisely that (after each authenticating the user in their own specific
way). And Zope does it in module HTTPResponse.HTTPResponse.unauthorised()
(called with REQUEST['RESPONSE'].unauthorised()). But I haven't totally
figured it out how that works (how Zope switches user
identities ?). And the two 'custom UserFolder' products I've
examined both seem to use ZPublisher.BeforeTraverse to 'make' this switch
happen, somehow. Hence my question to this list: not 'if' the user can be
switched (not 'manually' but 'programmatically'), but 'HOW'!
Cheers,
Vio
***
jens
On Monday, January 21, 2002, at 10:32 , vio wrote:
The point in a customised login method is precisely to do just that:
validate
user credentials with some custom scheme. If interested, this is trivial
to do
with a valid UserFolder instance around:
'if my_custon_loginForm_password ==
Users_folder.getUser(my_custon_loginForm_loginName)._getPassword(): and
here SWITCH to the authenticated new user identity'.And Voila! No sweat.
But I just don't know nor understand how to do that switch
yet, 'programmatically'.
* Jens Vagelpohl [EMAIL PROTECTED] [020121 09:02]:
the user gets modified automatically, provided you use common
login-methodology and a user folder that supports it.
You must be referring to the routine
HTTPResponse.HTTPResponse.unauthorised(),
called with REQUEST.RESPONSE.unauthorised(). It just happens that I really
don't like that 'Basic Authentication' dialog, that's why I want to use
mine.
So I've done half of the job to that end, only remaining problem is to
switch
'programmatically' to the new authenticated user id. Doing something like
'REQUEST['AUTHENTICATED_USER'] = my_custon_loginForm_loginName' seems to
have
no effect, because the user is still 'Anonymous User' (found with
'AUTHENTICATED_USER.getUserName()'). If only I could understand where
REQUEST
gets its data for its 'AUTHENTICATED_USER' attribute, I could simply
change
that data source, and I'd be done. But I don't still understand how
REQUEST
gets all the data to its attributes.
you don't set the user manually.
Of course you do ('programmatically' not 'manually'), as proven by all the
customised 'login' products out there, who are doing just that.
Only the one I studied so far
(CookieCrumbler) seems to re-write the REQUEST.RESPONSE at each traversal.
Which to me seems like a lot of overhead. If someone could point me to
where
Zope keeps user state (I believe with a cookie on the user's browser,
but where in the source does Zope set this cookie up?),
I could simply re-write that cookie with the new User ID ... Just a
thought of a simple and elegant solution (aka 'magic bullet') for my
problem.
Vio
jens
On Monday, January 21, 2002, at 12:35 , vio wrote:
Hi,
Does anybody know what is the method call to modify the
AUTHENTICATED_USER attribute? I am unable to trace where REQUEST feeds
data for its AUTHENTICATED_USER attribute.
Some context to my question: I am using a custom method to authenticate
users coming to my site. So when the user logs in, he is 'Anonymous
User'
(from call: AUTHENTICATED_USER.getUserName()). But after his login name
and password checked ok, how do I switch his identity in Zope from
'Anonymous User' to his/her new identity? What I am looking for is that
next time I call 'REQUEST.AUTHENTICATED_USER.getUserName()' to get the
new UserName he just logged in as, not 'Anonymous User' again.
Examining CookieCrumbler.py source, this authentication product uses the
'before_publishing_traverse hook' mechanism. But isn't there a simpler
way to do this than modifying REQUEST.RESPONSE at each traversal? Sounds
like a lot of overhead.
Vio
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
___
[Zope-dev] REQUEST.AUTHENTICATED_USER question
Hi, Does anybody know what is the method call to modify the AUTHENTICATED_USER attribute? I am unable to trace where REQUEST feeds data for its AUTHENTICATED_USER attribute. Some context to my question: I am using a custom method to authenticate users coming to my site. So when the user logs in, he is 'Anonymous User' (from call: AUTHENTICATED_USER.getUserName()). But after his login name and password checked ok, how do I switch his identity in Zope from 'Anonymous User' to his/her new identity? What I am looking for is that next time I call 'REQUEST.AUTHENTICATED_USER.getUserName()' to get the new UserName he just logged in as, not 'Anonymous User' again. Examining CookieCrumbler.py source, this authentication product uses the 'before_publishing_traverse hook' mechanism. But isn't there a simpler way to do this than modifying REQUEST.RESPONSE at each traversal? Sounds like a lot of overhead. Vio ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
