[Zope] acl_users and cookie crumbler login problem

philrobinson phil@unitec.demon.co.uk
Sun, 16 Feb 2003 19:25:26 -0000


Here's my ZODB structure:

parent_folder
-- child_folder_1
-- child_folder_2

I want users to be able to authenticate into each of the child folders
independently, so I put  an acl_users and cookie crumbler into each
of the child folders (can be either standard user folder or XUF, makes
no difference).

I then define a single user in each child folder as follows:
'child_1' in 'child_folder_1/acl_users'
'child_2' in 'child_folder_2/acl_users'

I set each cookie crumbler to 'Use cookie paths to limit scope'.

I then put a file called 'login_stub' in each of the folders with its
'view' acquisition turned off.

Point a browser at either of the 'login_stub's, and you get a login form;
enter
a valid name/pwd for that folder and you have access (of course, you had
view
access before, but now you have whatever rights the relevant user has, which
may be more than just 'Anonymous'). Looking at a different child folder does
the same thing again as you would expect.

Inspecting the cookies shows their paths to be '/child_folder_1' etc.
So, this gets me the ability to authenticate into each child folder
separately,
perhaps using a different user name.

If I put an acl_users and cookie_crumbler into 'parent_folder' (to allow a
different
group of people to manage at that level), however, it all goes wrong.

With these present, the cookie paths from the above example become '/',
which seems
to indicate that they are being generated in the parent_folder rather than
the relevant
child one. And login fails; presumably because the username supplied for
(say)
'child_folder_1' is not valid for 'parent_folder'.

If I remove the acl_users and cookie_crumbler from parent_folder, the child
folders work fine again.

To summarise: if the higher level ones are present, zope uses them. If not,
it uses
the child one as it should. Why should the presence or absence of the
objects in
'parent_folder' affect the child's behaviour?

I don't see how it can be caused by restrictive permissions on something in
the child
folders, since it wouldn't work without the parent_folder objects, but this
seems to be
kind of the opposite of what acquisition is supposed to do.

Anyone run into this kind of thing or am I just trying to be too fine
grained and it can't be done?

Thanks in advance....
Phil Robinson
PS Without the cookie crumblers present, each child seems to behave as you
expect. Of
course, you can only be logged into one at a time, but the presence or
absence of an
acl_users in 'parent_folder' doesn't affect their behaviour.