Login/Authentication/Authorization tools wrt SquishDot
See standard apologies below. I'm quite interested in using SquishDot as a base for web page support for university-level courses that I teach. I like the article-based discussion groups and the general slashdot-like presentation. I'm willing (at this stage) to do whatever Python and DTML programming is required for the special needs for course pages (there shouldn't be all that much). I also like the security model - I can define roles for Instructors, Teaching Assistants, Registered Students and Anonymous Guests, etc., with different rights for each. A couple of things I need though: 1. A way to identify in DTML the rights of the current user, so pages can be adapted. I would like to get the loginId for the user, but more important, I think, would be just a way to test for various roles. EG: "is the current user a registered student?", etc. A Quick reading of Publish.py (in Zope 1.10.3) seems to show all the authorization logic deeply bound into method 'publish', and it would be nice to have that brought out into a separate method. 2. A way to import a few hundred userids, passwords, and roles, from our own registration databases. Or would it be better to let the webserver authenticate people? - I was going to let Zope do it. 3. A way to have a 'login' link that allows a user to change their identities at any time (more useful for me during testing, but I would like anyone to be able to view pages anonymously at any time, but only have to login when they wish to post an unmoderated response to an article. I haven't seen any obvious way to do any of this. Did I miss something? Is anyone else working on something similar? If this is already documented somewhere (if only in Python code), pointers to that would be just fine. Standard Apologies: I'm pretty new to Zope, and I haven't exhaustively searched the mail archives, so my apologies if its already been covered. Time is running out, the first day of classes approaches all too quickly ... I'm a competent programmer, and not afraid to get my hands dirty ... thanks neal -- Neal Holtz http://www.docuweb.ca/~nholtz Dept. of Civil and Environmental Engineering, Carleton University, Ottawa, Ontario, Canada K1S 5B6. nholtz@docuweb.ca
On Wed, 25 Aug 1999, Neal Holtz wrote:
1. A way to identify in DTML the rights of the current user, so pages can be adapted. I would like to get the loginId for the user, but more important, I think, would be just a way to test for various roles. EG: "is the current user a registered student?", etc. has_role, has_permission are methods of the AUTHENTICATED_USER.
2. A way to import a few hundred userids, passwords, and roles, from our own registration databases. Or would it be better to let the webserver authenticate people? - I was going to let Zope do it. Well, you should then probably write or develop a UserFolder class that authenticates against your existing databases :)
3. A way to have a 'login' link that allows a user to change their identities at any time (more useful for me during testing, but I would like anyone to be able to view pages anonymously at any time, but only have to login when they wish to post an unmoderated response to an article. Well, a login link is no problem. But changing userid is difficult with Basic Authentication as is: As long your rights suffice, you have to kill the browser. If the permissions are not enough, you will be prompted automatically for a new userid.
I haven't seen any obvious way to do any of this. Did I miss something? Is anyone else working on something similar? If this is already documented somewhere (if only in Python code), pointers to that would be just fine.
Well, just look at the source code :) Andreas -- Andreas Kostyrka | andreas@mtg.co.at phone: +43/1/7070750 | phone: +43/676/4091256 MTG Handelsges.m.b.H. | fax: +43/1/7065299 Raiffeisenstr. 16/9 | 2320 Zwoelfaxing AUSTRIA
A quick note on changing identities during testing/development: If you can, set up multiple names by which your server can be reached, such as "www.monty.net" and "monty.net" or "www2.monty.net". Do your administration using one name and your testing-as-user through the other; your browser will keep independent authentication for each.
At 15:07 25-8-99 , Neal Holtz wrote:
1. A way to identify in DTML the rights of the current user, so pages can be adapted. I would like to get the loginId for the user, but more important, I think, would be just a way to test for various roles. EG: "is the current user a registered student?", etc.
The AUTHENTICATED_USER object has several methods that are of use here. The one you want to use is has_role: <!--#if "AUTHENTICATED_USER.has_role(['Role 1', 'Role2'])--> This text will only be visible to users that have a 'Role1' or 'Role2' role. <!--#/if-->
A Quick reading of Publish.py (in Zope 1.10.3) seems to show all the authorization logic deeply bound into method 'publish', and it would be nice to have that brought out into a separate method.
The AUTHENTICATED_USER code can be found in lib/python/AccessControl/User.py, in the classes BasicUser and User (the latter is a subclass of the first).
2. A way to import a few hundred userids, passwords, and roles, from our own registration databases. Or would it be better to let the webserver authenticate people? - I was going to let Zope do it.
For this you could use UserDB. It is an alternative UserFolder object, that let's you authenticate users against a database. It can be adjusted to fit any existing database schema. You can download the UserDB product from: http://www.zope.org/Download/Prereleases/UserDB
3. A way to have a 'login' link that allows a user to change their identities at any time (more useful for me during testing, but I would like anyone to be able to view pages anonymously at any time, but only have to login when they wish to post an unmoderated response to an article.
On of the nice extras that UserDB offers is cookie-based authentication. Normally Zope uses the HTTP Basic Authentication protocol, and current browser implementations make it difficult to switch username and password within a website. With UserDB, you can easily give the user a webpage where they can offer a new username and password combination to switch Roles, or a logout page to switch back to the Anonymous Role. -- Martijn Pieters, Web Developer | Antraciet http://www.antraciet.nl | T: +31 35 7502100 F: +31 35 7502111 | mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 ---------------------------------------------
participants (4)
-
Andreas Kostyrka -
Evan Simpson -
Martijn Pieters -
Neal Holtz