[Zope] authenticated_user troubles

Art Hampton arth@pacsg.css.mot.com
Tue, 15 Feb 2000 13:01:32 -0600 

I think I might be able to help.

If you're using cookie based authentication, read no further, I can't
help.

If you're using basic authentication, you aren't (and won't be)
challenging the remote browser.

With basic authentication, clients tend to send authentication info only
if they are challenged to do so.  Unfortunately, the only way to
challenge them is to refuse to serve the document.

Because your document is visible to all users, the document is served. 
No challenge (unauthorized) is raised.  Therefore the authentication
info is never sent.  Therefore you don't know who they are.

To verify this, add the line:
  <dtml-var "AUTHENTICATED_USER.getUserName()">
somewhere on the page (<dtml-var AUTHENTICATED_USER> should also work). 
It will say "Anonymous User" for the reasons stated above.

I had the same problem with my site, so I ended up creating an
"Authenticated" role.  I locked down the entire site so that you need
the "Authenticated" group to view anything, with the exception of the
login instructions on the front page of the site.

As I understand things, you can avoid this by using cookie based
authentication.  But that isn't currently an option for me.


Darcy Clark wrote:
> 
> I am trying to implement a mechanism to let managers edit content on a
> site that I am building. I have the following statement on various pages
> to add certain functionality to pages based on the Authenticated-users's roles:
> 
> <dtml-if "AUTHENTICATED_USER.has_role(['Manager'])">
> 
> blah blah  (e.g. display an edit or delete button)
> 
> </dtml-if>
> 
> I am currently authenticating by a login link in the
> standard_html_header to a DTML document that opens in a new window and
> can only be viewed by a Manager (I edited the security setting for this
> particular object so that only managers could view it). If the manager
> logs in correctly, a javascript closes the login window, and reloads the
> original page to presumably now include the editing and deleting buttons
> on my content....but it doesn't work. Can anyone explain to me why if
> the authenticated user logs in to view a particular object, then why the
> above snippet of code doesn't return true in other objects within the
> same hierachy?
> 
> thanks in advance,
> 
> (I suspect I am not 'grokking' something here....heh)