[Zope] hasRole bug or feature in 2.2.?

Randall F. Kern randy@spoke.net
Sat, 13 Jan 2001 13:31:45 -0800


> From: Ron Bickers [mailto:rbickers@logicetc.com]

> If this is true, it explains clearly Zope's behavior.  It's really a
browser
> "feature" and not a Zope issue at all.



Yes, that's the problem.

My solution is to use a custom UserFolder, which sets a temporary cookie
when a normal HTTP login is accepted.  This cookie is then used for
further validation.  The class I use is rather complex, providing
persistent login in addition to these features, and randomly re-creating
the cookie so one can't easily spoof a user, but this simple class will
get you going:

class UserFolder(AccessControl.User.BasicUserFolder):
	def validate(self, request, auth='', roles=None):
		user = AccessControl.User.BasicUserFolder.validate(self,
request, auth, roles)
		if user is AccessControl.User.nobody or user is None:
			if request.cookies.has_key('login'):
				user =
self.getUser(request.cookies['login'])
		else:
			request.response.setCookie('login',
user.getUserName(), path='/')

		return user


-Randy