[Zope-PTK] User Sources and ZClasses (Building ZPatterns)

[Kevin Dangoor]

----- Original Message -----
From: "Lalo Martins" <lalo@hackandroll.org>
To: <zope-ptk@zope.org>
Sent: Thursday, May 18, 2000 5:26 AM
Subject: [Zope-PTK] User Sources and ZClasses (Building ZPatterns)


> On Wed, May 17, 2000 at 07:41:46PM -0400, Kevin Dangoor wrote:
> >
> > > - Properties of a user is stored with the user (how?)
> >
> > You could make a SheetProvider (I'm not up to speed on that yet). Or,
you
> > could probably just create a ZClass for your users and manage the user's
> > properties using standard ZClass mechanisms.
>
> That's exactly what I planned to do, but I stumbled on an
> important problem - I can't use the permission framework to
> protect the user's password. I want the password to be a
> property in a property sheet, but property sheets and
> permissions don't work well together in Zope 2.1.x - if I allow
> other users to create arbitrary DTML, they can retrieve the
> passwords of any user with trivial code
> (<dtml-var "Users[username].password">). I posted to zope and
> zope-dev about this problem a while ago, to no avail.
>
> Looks like the permission I set inside the property sheet only
> affects _editing_ the properties, not reading them.
>
> Of course I could just go ahead and not give users permission
> to create arbitrary DTML, but I don't want to have to change
> the whole user source (and probably take the site offline)
> later when this is fixed.

You probably want to create a Python base class for your ZClass and store
the password in self._password. That way you can't get access to it via DTML
beyond any bits you code up in Python to allow for management of the
passwords...

Kevin