[ZPatterns] still struggeling with a sessionbased LoginMethod

John Eikenberry jae-zpat@kavi.com
Tue, 6 Nov 2001 15:12:27 -0800 

I ran into the same problem. Turns out that Zope has 2 security mechanisms.
The first checks the permissions on the published objects. The second is
used when doing things like parsing the dtml.=20

There is no way around it besides making sure that every folder that
restricts access has an index_html in it. The index_html is looked for at
publishing time and will trigger the loginForm.=20

We had to go back to basic auth as we had just finished developing a whole
publishing setup that was built around the idea of having 1 index_html at
the top level. :P

Joachim Schmitz wrote:

> Hi,
>=20
> I still struggeling, with some details of my session-based LoginMethod.
>=20
> I trying to build a LoginMethod with the LoginManager product, which does
> not use the HTTP-authentication at all. But stores the user-information i=
n a
> session, I am using CoreSessionTracking 0.9.
>=20
> If I call the loginForm directly, the user can login and can work in his
> session. He can logout and login again, everthing seams to work as exspec=
ted.
>=20
> the structure is like this:
>=20
> acl_users  (default)
> AppFolder (not protected)
>   acl_users  (LoginManager)
>   head
>   foot
>   index_html:
>     <dtml-var head>
>     <dtml-var content>
>     <dtml-var foot>
>   testFolder (protected)
>     content
>=20
> When I now - as anonymous - call AppFolder/testFolder/content  directly, =
which is not
> accessible to anonymous, the LoginManager-loginform pops up.
>=20
> But when I access AppFolder/testFolder, the default http-authorisation bo=
x pops up.
>=20
> I debugged this, with the python-debugger and found, that only for the
> index_html, it is calling the validate-function of the
> LoginManager-acl_users. There the response.unauthorized is set to the
> correct loginForm. But further on the validate-functions of User.py are
> called.
>=20
> Can anybody give me any hint, what I might be doing wrong ?
>=20
>=20
> Mit freundlichen Gr=FC=DFen
>=20
> Joachim Schmitz
>=20
> AixtraWare, Ing. B=FCro f=FCr Internetanwendungen
> H=FCsgenstr. 33a, D-52457 Aldenhoven
> Telefon: +49-2464-8851, FAX: +49-2464-905163
>=20
>=20
>=20
> _______________________________________________
> ZPatterns mailing list
> ZPatterns@eby-sarna.com
> http://www.eby-sarna.com/mailman/listinfo/zpatterns

--=20

John Eikenberry [jae@kavi.com]
______________________________________________________________
"A society that will trade a little liberty for a little order
 will deserve neither and lose both."
                                          --B. Franklin