[Zope-CMF] CMF Authentication process

Kevin Carlson khcarlso@bellsouth.net
Thu, 16 May 2002 12:06:02 -0400


Found the problem...

The problem did indeed occur when I removed the Member role and re-added it.
When re-adding the role the default permissions for Member were not
recreated.  Since selected the skin at authentication time appears to the
system to be a user changing their own properties, I had to check the "Set
own properties" permission for member.  That did the trick.

Kevin

-----Original Message-----
From: zope-cmf-admin@zope.org [mailto:zope-cmf-admin@zope.org]On Behalf
Of Kevin Carlson
Sent: Thursday, May 16, 2002 11:43 AM
To: Shane Hathaway
Cc: zope-cmf group
Subject: RE: [Zope-CMF] CMF Authentication process


Shane,

That makes sense -- thanks.  I still have one issue that doesn't make sense
(and which led to this inquiry)...

When I create a new user with a role of "Member"  I cannot log in to the
site regardless of which skin I am using.  I'm sure I messed something up
security-wise at some point, but right now I can't figure out what that may
be.  Earlier I created a new Role called "Document Manager" and deleted the
"Member" role.  Later when I discovered that 'Member' was all over the
source code I added the role back in.  Could that have cause the problem?
Any other ideas?

Thanks,

Kevin

-----Original Message-----
From: zope-cmf-admin@zope.org [mailto:zope-cmf-admin@zope.org]On Behalf
Of Shane Hathaway
Sent: Thursday, May 16, 2002 10:16 AM
To: Kevin Carlson
Cc: zope-cmf group
Subject: Re: [Zope-CMF] CMF Authentication process


Kevin Carlson wrote:
> Where does user authentication actually happen within CMF?  It looks as if
> after the user completes the login_form and posts to logged_in that the
user
> is somehow magically authenticated.  I can find no calls to the
> User.authenticate method anywhere...
>
> The logged_in form calls "portal_skins.updateSkinCookie()" and
> "setupCurrentSkin" in the first few lines of its code, and reading the
> source for these functions I cannot find a place where it is doing the
> authentication of the user.  It appears that there is a call to
> getAuthenticatedUser before there was ever a chance to authenticate!  I
know
> I'm wrong about this because the CMF is doing user authentication -- I
just
> can't figure out where it's happening.
>
> Can anyone explain or point me to some doc on this?

On traversal through the folder that contains the cookie_authentication
object, a hook calls the cookie_authentication object, which sees the
request contains the form variables "__ac_name" and "__ac_password" (or
whatever names you specify).  It encodes those variables to produce the
"__ac" cookie, at the same time changing the request in such a way that
user folders will think basic authentication was used.  So then the
normal Zope authentication process happens.  When the response is
generated, it asks the browser to set "__ac", which the
cookie_authentication object detects on subsequent requests.

Make sense?

Shane



_______________________________________________
Zope-CMF maillist  -  Zope-CMF@zope.org
http://lists.zope.org/mailman/listinfo/zope-cmf

See http://www.zope.org/Products/PTK/Tracker for bug reports and feature
requests



_______________________________________________
Zope-CMF maillist  -  Zope-CMF@zope.org
http://lists.zope.org/mailman/listinfo/zope-cmf

See http://www.zope.org/Products/PTK/Tracker for bug reports and feature
requests