from:"Grant K Rauscher"

[Zope-dev] user roles & authentication

2002-11-07 Thread Grant K Rauscher


recently I noticed that methods for retrieving user roles are affected
by the URL from which the user logged in using basic authentication (as
opposed to the location of the user account).  I don't see any
authentication-related cookies at all from ZOPE, session or otherwise, just
basic http authorization.

the problem is this: if one authenticates at a location deeper than
their user account, authorization should apply up to the level of the
account.  it does - any method requiring authorization is allowed to run
between the point of login and the user account - but when I test with *any*
of these routines between the point of login and the user account it shows
only 'Anonymous' - not the expected roles.

user.getRoles()
_.SecurityGetUser().getRoles()
user.has_role( roleName )

visiting /manage or any other objects which require authorization works
between the user account and the point of login - in fact, after rendering
an object which would prompt for authorization if the only role were
*really* Anonymous the roles for that object and ones it contains are fixed
and show the expected results with getRoles() and has_role().

this problem occurred with ZOPE 2.5.0 or 2.5.1, and IE 5.5 or NN 7.0

        Grant K Rauscher
GeeKieR Enterprises
http://www.geekier.com/


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: user roles & authentication

2002-11-09 Thread Grant K Rauscher

> This is how the HTTP 1/1 specification requires it to be.
> Your browser follows this spec.

Dieter,

I understand the HTTP spec... but ZOPE does not work that way.

I can use methods which require roles above where I logged in.  The
methods used for returning the roles themselves do not correlate with ZOPE's
own actions.  Therefore ZOPE has an internal inconsistency regarding user
authentication with basic HTTP authorization.

> Apparently, you are using a user folder that uses basic authentication.
> There are user folders around that can (be configured to) use
> Cookie authentication. You can also use CookieCrumber for that.

yes, I've used one or two - but I'm concerned with remedying the default
ZOPE authentication mechanism, which is broken

> 
> 
>   
> 

Paul,

thanks, but your suggestion isn't applicable since the result of
AUTHENTICATED_USER.getRoles() is wrong.

        Grant K Rauscher
GeeKieR Enterprises
http://www.geekier.com/


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] user roles & authentication

[Zope-dev] Re: user roles & authentication

2 matches

Site Navigation

Mail list logo

Footer information