[Zope3-Users] pau and zope.manager

[Jim Washington]

I wrote:

> I want to use pau, with session (cookie) based authentication.  No 
> basic authentication.
>
> The problem is, when the pau is activated, the zope.manager defined in 
> zcml seems to be no longer accessible, effectively locking me out of 
> the zmi.
>
> What I think is happening is the pau appends a prefix to the principal 
> name, so that the principal, instead of being "zope.manager", becomes 
> "prefixzope.manager", which has no permissions anywhere.
>
> I think my choices are the following.
>
> 1.  make pau always look (last) in principalRegistry and return a 
> non-prefixed principal if found and validated
> 2.  have my authentication plugin look in principalRegistry and assign 
> the same roles for the principals found in principalRegistry, but with 
> the pau prefix.  This would happen when the plugin is created or on 
> demand.
> 3.  provide methods for my authentication plugin to generate an 
> emergency user for one of its valid principals
>
> Or did I miss something in the documentation that gets around this?

Apparently not?  So, I am going to choose door #3.  It should be pretty 
simple.  The main hazard is getting it wrong, which will require some 
amusing spelunking with the debugger to deactivate the utility if there 
is anything important in the ZODB.  On the good side, it will prep me 
for the next project, which I think will require ldap.

-Jim Washington