[Zope] Security in External Method - urllib

[J Cameron Cooper]

>
>
>What's the syntax and how do I get the current users name and password?
>  
>
There's been at least once recent discusion on this list about that 
topic. A quick search will probably tell you more than you want to know.

In short, though, the username can be gotten through the REQUEST object 
with AUTHENTICATED_USER. The password, however, is generally more 
difficult since it is (at best) restricted.

If the passwords of your folder are not encrypted (check the 
encrypt_passwords property on your UserFolder, the default is no) you 
can try a 'user._getPassword()' where 'user' is a User object. That 
underscore makes it a private method, and Python Scripts won't allow it, 
but possibly you can get away with it in an External Method. If not, you 
can make a small change to the Zope source to allow it:

in zope/lib/python/AccessControl/User.py
in class SimpleUser
add a method like

def getPassword(self):
  """Return password in the clear."""
  return self.__   # the password is stored in attribute named 
"underscore underscore"

Then you can call it like

container.REQUEST.AUTHENTICATED_USER.getPassword()
in a Python Script

or
<dtml-with AUTHENTICATED_USER>
 <dtml-var getPassword>
</dtml-with>
in DTML.

Others on this list can tell you why this might be a bad idea.

A better idea might be to find a UserFolder which will do this for you 
or allow you to do it yourself. exUserFolder is always something to look 
at when dealing with user folders. You might also store your passwords 
parallel to the internal ones in an accessible place, but this is 
certainly an even worse idea than above.

             --jcc