[Zope-CMF] How to make your CMF portal "Members Only"

Ausum Studio ausum_studio@hotmail.com
Mon, 19 Aug 2002 03:21:18 -0500 

Ben, your workaround could be ignoring a potential security issue. Every
other method not using standard_html_header (in the case of DTML skins),
will be exposed as long as it contains 'published' CMF content. Regular
users may not know which are these methods, but they will still be there.

I have this same issue as I'd like to deny access to the whole CMF site at
all, unless the user is authenticated, much the same as the effect of
unchecking the "View" checkbox at the column "Acquire Permission Settings"
at the security tab of any plain Folder. The problem is that a CMF site
doesn't behave like a folder, and doing what I've just pointed out generates
a strange redirection loop (although it could be a bug).

A fix suggested here is to also use your own default workflow, and then to
change the "published" state's permission, restricting the "View" permission
to members only.

¿Has anyone found a better way to deny all kind of access to a CMF site,
except to previously registered members?



Ausum



----- Original Message -----
From: "Ben Gustafson" <cbg3@earthlink.net>
To: <zope-cmf@zope.org>
Sent: Sunday, August 18, 2002 12:30 AM
Subject: [Zope-CMF] How to make your CMF portal "Members Only"


> After finding some sketchy documentation on cmf.zope.org about how to make
a
> "members-only" CMF portal, I decided to roll my own method with a little
> DTML, ZPT and an External Method. The methodology I followed is: Redirect
> anonymous visitors to the Login form (unless they're already on that
page);
> disable the Join link and action; and do not display the Actions box for
> anonymous visitors. Below is the code if you'd like to do this yourself.
>
> ------------
> 1) Add this DTML to the top of
> CMFDefault/skins/generic/standard_html_header.dtml:
>
> <dtml-if "portal_membership.isAnonymousUser()">
>  <dtml-let strURLBASE3="REQUEST.BASE3">
>   <dtml-if "not strURLBASE3.endswith('login_form')">
>    <dtml-let strURL="_.string.join([REQUEST.BASE2, 'login_form'], '/')">
>     <dtml-call expr="RESPONSE.redirect(strURL)">
>    </dtml-let>
>   </dtml-if>
>  </dtml-let>
> </dtml-if>
>
> 2) Surround the <dtml-var actions_box> tag with this dtml-if statement:
>
> <dtml-if "not portal_membership.isAnonymousUser()">
>   <dtml-var actions_box>
> </dtml-if>
>
> 3) Add this span tag to CMFDefault/skins/zpt_generic/main_template.pt:
>
> <span tal:condition="isAnon"
> tal:define="strURL request/URL;
> loginForm string:${portal_url}/login_form"
> tal:replace="python:here.doRedirect(loginForm, strURL)">Log in</span>
>
> 4) Add this condition to the actions box table tag (marked with <!--
actions
> box --> above it):
>
> tal:condition="not:python:isAnon"
>
> 5) Create an External Method with the following function:
>
> def doRedirect(newURL, presentURL):
> """Redirect to newURL if it is not the same as presentURL"""
> if (newURL != presentURL):
> raise 'Redirect', newURL
>
> 6) In portal_registration, under the Actions tab, uncheck the Join
action's
> Visible? checkbox.
> ------------
>
> Simple? Simple.
>
> --Ben
>
>
> _______________________________________________
> Zope-CMF maillist  -  Zope-CMF@zope.org
> http://lists.zope.org/mailman/listinfo/zope-cmf
>
> See http://collector.zope.org/CMF for bug reports and feature requests
>