[Zope-dev] struggeling with a sessionbased LoginMethod

Joachim Schmitz js@aixtraware.de
Wed, 7 Nov 2001 09:31:03 +0100 (CET) 

Hi,

I trying to develop a LoginMethod with the LoginManager product, which do=
es
not use the HTTP-authentication at all. But stores the user-information i=
n a
session, I am using CoreSessionTracking 0.9.

If I call the loginForm directly, the user can login and can work in his
session. He can logout and login again, everthing seams to work as exspec=
ted.

the structure is like this:

acl_users  (default)
AppFolder (not protected)
  acl_users  (LoginManager)
  head
  foot
  index_html:
    <dtml-var head>
    <dtml-var content>
    <dtml-var foot>
  testFolder (protected)
    content

When I now - as anonymous - call AppFolder/testFolder/content  directly, =
which is not
accessible to anonymous, the LoginManager-loginform pops up.

But when I access AppFolder/testFolder, the default http-authorisation bo=
x
pops up. When I test this with ZDebug, I get the information, that Zope i=
s
trying to publish index_html, and that user Anonymous is not allowed to
access content.


I debugged this, with the python-debugger and found, that only for the
index_html, it is calling the validate-function of the
LoginManager-acl_users. There the response.unauthorized is set to the
correct loginForm. But further on the validate-functions of User.py are
called.

I posted this problem to the zpatterns-list, and got the following answer=
:

Begin citation -------------------

Date: Tue, 6 Nov 2001 15:12:27 -0800
From: John Eikenberry <jae-zpat@kavi.com>
To: zpatterns <zpatterns@eby-sarna.com>
Subject: Re: [ZPatterns] still struggeling with a sessionbased LoginMetho=
d

I ran into the same problem. Turns out that Zope has 2 security mechanism=
s.
The first checks the permissions on the published objects. The second is
used when doing things like parsing the dtml.

There is no way around it besides making sure that every folder that
restricts access has an index_html in it. The index_html is looked for at
publishing time and will trigger the loginForm.

We had to go back to basic auth as we had just finished developing a whol=
e
publishing setup that was built around the idea of having 1 index_html at
the top level. :P

End citation -------------------

Can someone with the real Zope-Zen help ?


Mit freundlichen Gr=FC=DFen

Joachim Schmitz

AixtraWare, Ing. B=FCro f=FCr Internetanwendungen
H=FCsgenstr. 33a, D-52457 Aldenhoven
Telefon: +49-2464-8851, FAX: +49-2464-905163