[Zope-CMF] anonymous to submit content?

alan runyan runyaga@thisbox.com
Mon, 9 Jul 2001 16:05:42 -0500 

ok.  if you look on zope-dev you can see i'm having a hard time w/ letting
Anonymous users create content in the CMF.  It appears its some heavy mojo
inside the security machinery (or that is my perception after 2 hours w/ the
debugger and lots of Cokes). Two requests:  if you are a guru, please look
at my post.  Its a bit rambling and was composed over a few hours.  I
believe the jist is there.

Second Request: which is on topic for the CMF.
What is the 'way' of letting Anonymous Users to create Content Objects in
the CMF?  I had an idea that seemingly could work well. and would be useable
(almost) by all CMF Content Objects.  We create 2 Script (Pythons) that are
proxied as high level users, we do this for each Content Object.  For
instance, mine would be createJobPosting and submitJobPosting.  I have a
user called, PUBLIC.

in the createJobPosting: we invokeFactory to create the desired content
object in the PUBLIC directory.  then we need to return the view
(xxx_edit_form) of that object (newly created object), proxied as if they
were God.  they will be submitting this to submitJobPosting which again
another proxied Script (Python) which simply saves it to the edit method of
the object and then submits it to a review status.

so we could have all job postings sitting in /Members/PUBLIC/job#########
and then if we wanted we could move them out of there on 'Publish'.  Has
anyone got this working?  This isnt needed if users are logged into the CMF,
but if you are Anonymous I am having all sorts of problems.  I would love to
see the CMF have a plethora of objects that did common functionality of
websites where anonymous users could submit content, it could be reviewed
and then integrated into the website.

problems: the object has to be away of its view.  this could be an
acquistion issue, i have no clue.  i.e. I ended up having to create a method
on the object called, getEditView (which returned the rendered DTML).  the
second is that on publishing of this view, all calls to this() hork, because
 of security problems being Anonymous (even if you are proxied) -- in my
case, standard_html_header on _.hasattr(this(), 'isEffective') .  This is
the step I'm trying to figure out.  I will jump through the Python hoops so
that people dont have to proxy their standard_header or any other DTML
Methods.  I will write this up as HOW-TO if we/I can figure it out.

am I missing something and has someone already conquered this?

cheers,
~runyaga

p.s. logging into the CMF is quite a bit of user effort and to submit Job
Postings/URL (Swishdot?) ,NEWS, Events -- w/o having to log in and then
delegated members can review and push it through a more comprehensive
workflow would be SWEET.  soo, has anyone succeeded?