[Zope] Investigations into UserDB

Evan Gibson egibson@connect.com.au
Sun, 3 Oct 1999 19:11:23 +1000


Morning Everyone...

I have a copy of UserDB working off a Gadfly database and, in the
course of some investigations today, have discovered a few things
about it.

First off someone in the past commented that he couldn't get cookie
based authentication to work and so had hacked the UserDb file to
comment out the first two lines in validate.

    def validate(self,request,auth='',roles=None):
        if self.cookie_mode:
           return self.cookie_validate(request, auth, roles)
        return self.std_validate(request, auth, roles)

When first installed UserDB I had a similar problem (It ALWAYS asking
me to validate, and not accepting _any_ username or password I type
in.) I actually looked myself out of my site for a while.
So I used his "fix" and my problems went away...
Other people said they didn't have this problem.

Guess what?

The default cookie authentication works under Netscape but NOT under
the latest version of IE on my computer at home.
(Well, actually, what really happens is that anytime the popup password
window is triggered it will fail _anything_ you type in if you have
cookie based auth on, but that window pops up without any prompting on
IE.)


Next.

Another guy wrote that:
----
If you change line 469 of lib/python/DocumentTemplate/DT_String.py
from    
md.validate=self.validate
to
md.validate=None
Then UserDb authentication will take place instead of the bogus standard
type which doesn't exist.
-----

And this fixes the problem that turns up under IE, it'll actually let
me view my front page now. 
But now I HAVE to go to my front page and login, I can't go straight
to the manage page at all, even the superuser password doesn't work.

Also the manage page behaves _very_ strangely under this arrangement. 
Sometimes (non-repeatable, I hate that) I click on a folder in the left 
column and it _automatically_ views the index_html for that folder and 
I can't get to the real manage thing without logging in again.
I would suspect I'd been logged out (cookie timeout) but why would it
view the page instead of asking me for auth (which would fail anyway)?

Is there any way to make authorisation failures redirect to the
userDB docLogin page instead of bringing up the password window?



Anyway... Enough about UserDB for now.

My other question has to do with proxy roles... I was trying to set up
a counter, and the suggestion of:
<dtml-call "manage_changeProperties({'counter': counter + 1})">
works perfectly, but only if I set the proxy role of manager for my
INDEX_HTML page that includes the counter through:
<dtml-var add_counter>
setting the proxy role on the add_counter method does NOTHING it still
wants authorisation. (Index html is a method as well)
And I was wondering if this was part of the security layout and was the
way it was meant to work this way or not.
It seems kinda bad having to give my main page management privs.


Thanks everyone for your help...
The other Evan.

--
  Evan ~ThunderFoot~ Gibson    ~ nihil mutatem, omni deletum ~
      May the machines watch over you with loving grace.