[Zope-CMF] CMF 1.4 release blockers (was: Re: [dev] some CMF 1.4beta1 issues)

sean.upton@uniontrib.com sean.upton@uniontrib.com
Mon, 12 May 2003 11:34:14 -0700

Question about a workaround: In a custom user folder subclass of
BasicUserFolder (i.e. SimpleUserFolder or similar), couldn't one override
authorize() to call a TTW python script right after calling validate()?
Would calling changeSkin() from such a script at this point in the process
still work?  Perhaps in future versions of Zope, it would be nice if there
could be some post-traversal equivalent to an access rule (or if an access
rule could have a pre-authorization and a post-authorization script if the
user-folder supported it)...


-----Original Message-----
From: Tres Seaver [mailto:tseaver@zope.com]
Sent: Monday, May 12, 2003 11:03 AM
To: sean.upton@uniontrib.com
Cc: seb@jamkit.com; chrisw@nipltd.com; zope-cmf@zope.org;
schubbe@web.de; gregweb@gmx.ch; limi@plone.org; andy@agmweb.ca
Subject: RE: [Zope-CMF] CMF 1.4 release blockers (was: Re: [dev] some
CMF 1.4beta1 issues)

On Mon, 2003-05-12 at 13:48, sean.upton@uniontrib.com wrote:

> IIRC, at the moment, it is impossible to do this in an access rule, given
> its pre-traversal nature?  Is this correct?

Yes;  access rules can't use "authenticated user" semantics, because
Zope2 defers actually authenticating the user until they try to access
an object which is protected.  For the general case, traversal won't
have triggered authentication yet.

> http://mail.zope.org/pipermail/zope-cmf/2002-September/015578.html

Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com