Jens Vagelpohl wrote:
being explicit is almost always better. you are relying on internal magic and it's not apparent from looking at the code you wrote.

the validate implementation in the LDAPRoleExtender is the "most correct" one. shane worked on it for a while to make sure it does the most correct thing possible, and if anyone knows about the vagaries of acquisition/security and all its possible permutations it is him.
:-) Well, I tried to get it right, but I'm sure I could have missed something.

On Thursday, Oct 17, 2002, at 08:37 US/Eastern, Dirk Datzert wrote:

Hi Jens,

why is that code no longer referring to the real userfolder anymore? it
should not make calls to authorize/identify/authorize on "self" but on
the LDAPUserFolder it is using as the user source.

self.identify() should be the same as if getLUF().identify() since LDAPUserFolder and LDAPRoleTwiddler both inherited this from BasicUserFolder.

self.authenticate() does a self.getUser() which refers to getLUF().getUser() and does twiddling in one step and return the right user-object which the API would expect.

I think that self.authorize(user,...) is better than self.getLUF().authorize(user,...)
because the authorize does the following in 1st line:

def authorize(self, user,... ): (inherited from BasicUserFolder)
user = getattr(user, 'aq_base', user).__of__(self)

this would be different for self.authorize, where self would be the LRT and
self.getLUF().authorize() where self would be the LUF.

The user is seen in 2 different contexts by .__of__(self) .

Maybe I'm think too complicated, Your opinion ?
The idea behind LDAPRoleExtender is to give the user global roles if the user accesses a context where extra roles would be given. In order to grant global roles, the context of the user is always the LDAPUserFolder, not the role extender.

Role computation applied this way has a nasty side effect, unfortunately: if the user is allowed to write any kind of script, the user can access anything protected by the supposedly local roles. Don't ever grant the "Manager" role using LDAPRoleExtender unless you fully trust the user.

I don't know anything about LDAPRoleTwiddler. But I would recommend you install the VerboseSecurity product, which will tell you a lot more about the Unauthorized error.

And if you're interested, I know how we can make LDAPRoleExtender much safer, based on conversations with Jens.


Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to