[Zope] Question about users...

djb@redhat.com djb@redhat.com
Fri, 30 Jul 1999 20:12:33 -0400 

> > Okay, I'm a Zope newbie.  I installed it on my laptop to muck with it,
> > and so far I'm impressed.  But I'm having some trouble...I tried to
> > create a new user and add that user to the "Manager" role.  I then
> > changed the permissions in the Security tab to let Manager have some
> > privs to do things.  The only problem is, no matter what I try, I can't
> > log in as that user.
> 
> Did you add that user to the very top root folder 'acl_users' User
> folder?  If you added the user to a folder *below* the root folder, then
> you can only log in at the same level as the user folder the user is
> defined in.  This is a very important security feature.

Yes, I added the user at the very top level.  They have "manager" as a role.
I've tried leaving Domains empty, adding "*", and adding "*.redhat.com", all
without success.

I also tried creating a folder and then adding a user there.  No dice.
I presume that I *should* be able to create a folder called "junk",
then create a user in that folder with proper privs, then log in to
that folder with something like:

http://localhost:9673/junk/manage

Right?  It seems to want to do this, but all authentication attempts as
anyone other than superuser fail.

> > I would have thought I could just pull up a browser on another machine
> > somewhere, point it at my laptop, and log in.  I can do this as
> > the superuser, but not as the new user I created.  Not at all.  I don't
> > see much in the docs about logging in as another user, either.  Nor do
> > I even see how to log *out* once you log in as the superuser (help?).
> 
> There is no concept of 'log out' with HTTP basic authentication.  You
> log out when the server raises an 403 Unauthorized error.  Or you can
> close the browser.  You see, Zope challenges you on EVERY request you
> make, but web browsers are very nice (sometimes too nice) about caching
> the userid and password you used and using it all over the place to try
> and unlock any HTTP doors.  Note this is very different from a cookie
> based authentication which some types of Zope products do.

Ahh, I see.  Any chance cookie authentication is going to be added to the
base Zope as an option?  Are those "add on products" free as well?  If
so, where would one find them?

Oh, one more thing...kudos to the team that built this stuff.  It really
is neat.


--Donnie

--
  Donnie Barnes  http://www.donniebarnes.com  djb@donniebarnes.com  "Bah."
   Challenge Diversity.  Ignore People.  Live Life.  Use Linux.  879. V. 
    Bats, when dipped in batter and deep fried, still taste pretty bad.