[Zope] authenticated_user troubles - I get it

Darcy Clark darcyc@engin.umich.edu
Tue, 15 Feb 2000 16:30:59 -0500


thanks for the replies....I think Art has it figured out. Unfortunately
it seems that unless I switch to cookies, I am not going to be able to
make it worth like I had planned....that's fine....at least I understand
how it works now....hopefully this will help others down the track who
stumble on the same thing.

It would be nice to get access to AUTHENTICATED_USER without necessarily
challenging the browser.

Darcy

Art Hampton wrote:
> 
> I think I might be able to help.
> 
> If you're using cookie based authentication, read no further, I can't
> help.
> 
> If you're using basic authentication, you aren't (and won't be)
> challenging the remote browser.
> 
> With basic authentication, clients tend to send authentication info only
> if they are challenged to do so.  Unfortunately, the only way to
> challenge them is to refuse to serve the document.
> 
> Because your document is visible to all users, the document is served.
> No challenge (unauthorized) is raised.  Therefore the authentication
> info is never sent.  Therefore you don't know who they are.
> 
> To verify this, add the line:
>   <dtml-var "AUTHENTICATED_USER.getUserName()">
> somewhere on the page (<dtml-var AUTHENTICATED_USER> should also work).
> It will say "Anonymous User" for the reasons stated above.
> 
> I had the same problem with my site, so I ended up creating an
> "Authenticated" role.  I locked down the entire site so that you need
> the "Authenticated" group to view anything, with the exception of the
> login instructions on the front page of the site.
> 
> As I understand things, you can avoid this by using cookie based
> authentication.  But that isn't currently an option for me.
> 
> Darcy Clark wrote:
> >
> > I am trying to implement a mechanism to let managers edit content on a
> > site that I am building. I have the following statement on various pages
> > to add certain functionality to pages based on the Authenticated-users's roles:
> >
> > <dtml-if "AUTHENTICATED_USER.has_role(['Manager'])">
> >
> > blah blah  (e.g. display an edit or delete button)
> >
> > </dtml-if>
> >
> > I am currently authenticating by a login link in the
> > standard_html_header to a DTML document that opens in a new window and
> > can only be viewed by a Manager (I edited the security setting for this
> > particular object so that only managers could view it). If the manager
> > logs in correctly, a javascript closes the login window, and reloads the
> > original page to presumably now include the editing and deleting buttons
> > on my content....but it doesn't work. Can anyone explain to me why if
> > the authenticated user logs in to view a particular object, then why the
> > above snippet of code doesn't return true in other objects within the
> > same hierachy?
> >
> > thanks in advance,
> >
> > (I suspect I am not 'grokking' something here....heh)

-- 
---------------------------------------------------
Ph: (734) 764 3377 
Email: darcyc@engin.umich.edu
URL: http://www-personal.engin.umich.edu/~darcyc/
---------------------------------------------------
'If you're not part of the solution, you're part of the precipitate'
..... Steven Wright