How can I find out who visited a URL within my Zope Product?
Hello: I would like to log the identity of the authenticated user for *every* URL traversal within my Zope Product. For example, let's say that my forms-based web application contains 50 screens. They are all protected such that only authenticated users can view them. Any one of them could be bookmarked, so a user could "jump in" at any point. I want to record the fact that a user visited a screen, each and every time they do so. A natural place to do this would be in a pre-traversal hook, but I seem to be stymied by the lack of authentication information in __bobo_traverse__ or __before_publishing_traverse__ Can anyone think of a way this could be done? I suppose I could hack all of my ZPTs to call a "registerUser" method by putting it in an empty <span> in their shared header, but that seems to mix concerns. Why should my ZPTs have knowledge of this workflow requirement? Thanks in advance! --Craeg
Much easier and nicer is to use an "Access Rule" (look in the Add drop-down). Tim Craeg K Strong wrote:
Hello:
I would like to log the identity of the authenticated user for *every* URL traversal within my Zope Product.
For example, let's say that my forms-based web application contains 50 screens. They are all protected such that only authenticated users can view them. Any one of them could be bookmarked, so a user could "jump in" at any point.
I want to record the fact that a user visited a screen, each and every time they do so.
A natural place to do this would be in a pre-traversal hook, but I seem to be stymied by the lack of authentication information in __bobo_traverse__ or __before_publishing_traverse__
Can anyone think of a way this could be done?
I suppose I could hack all of my ZPTs to call a "registerUser" method by putting it in an empty <span> in their shared header, but that seems to mix concerns. Why should my ZPTs have knowledge of this workflow requirement?
Thanks in advance!
--Craeg
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
-- Tim McLaughlin Chief Technology Officer Siteworx, Inc... Set your site on the future! 703.390.5421
An Access Rule doesnt let you find the authenticated user check this post a few weeks ago: http://lists.zope.org/pipermail/zope-dev/2002-September/017596.html -- Andy McKay www.agmweb.ca ----- Original Message ----- From: "Tim McLaughlin" <tim@siteworx.com> To: "Craeg K Strong" <cstrong@arielpartners.com> Cc: <zope-dev@zope.org> Sent: Tuesday, October 08, 2002 3:12 PM Subject: Re: [Zope-dev] How can I find out who visited a URL within my Zope Product?
Much easier and nicer is to use an "Access Rule" (look in the Add drop-down).
Tim
Craeg K Strong wrote:
Hello:
I would like to log the identity of the authenticated user for *every* URL traversal within my Zope Product.
For example, let's say that my forms-based web application contains 50 screens. They are all protected such that only authenticated users can view them. Any one of them could be bookmarked, so a user could "jump in" at any point.
I want to record the fact that a user visited a screen, each and every time they do so.
A natural place to do this would be in a pre-traversal hook, but I seem to be stymied by the lack of authentication information in __bobo_traverse__ or __before_publishing_traverse__
Can anyone think of a way this could be done?
I suppose I could hack all of my ZPTs to call a "registerUser" method by putting it in an empty <span> in their shared header, but that seems to mix concerns. Why should my ZPTs have knowledge of this workflow requirement?
Thanks in advance!
--Craeg
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
-- Tim McLaughlin Chief Technology Officer Siteworx, Inc... Set your site on the future! 703.390.5421
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Can anyone think of a way this could be done?
Parse your weblogs at the end of each day? -- Andy McKay www.agmweb.ca ----- Original Message ----- From: "Craeg K Strong" <cstrong@arielpartners.com> To: <zope-dev@zope.org> Sent: Tuesday, October 08, 2002 2:48 PM Subject: [Zope-dev] How can I find out who visited a URL within my Zope Product?
Hello:
I would like to log the identity of the authenticated user for *every* URL traversal within my Zope Product.
For example, let's say that my forms-based web application contains 50 screens. They are all protected such that only authenticated users can view them. Any one of them could be bookmarked, so a user could "jump in" at any point.
I want to record the fact that a user visited a screen, each and every time they do so.
A natural place to do this would be in a pre-traversal hook, but I seem to be stymied by the lack of authentication information in __bobo_traverse__ or __before_publishing_traverse__
Can anyone think of a way this could be done?
I suppose I could hack all of my ZPTs to call a "registerUser" method by putting it in an empty <span> in their shared header, but that seems to mix concerns. Why should my ZPTs have knowledge of this workflow requirement?
Thanks in advance!
--Craeg
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
I figured out a way to do this, although it uses an unpublished method. In my __before_publishing_traverse__ I do the following: if not request.has_key('userId'): # # Get authentication information from the REQUEST, where it # is held in encrypted form. # # This code is copied directly from BaseRequest.py It uses # an unpublished method, but I see no decent alternative. # # CKS 10/8/2002 # auth=request._authUserPW() if auth: name,password = auth request['userId'] = name However, others have posted some interesting alternative solutions that don't involve using unpublished methods.. :) My reason for needing this follows. If you don't care, hit delete now :) We are using the Command pattern, so every user gesture becomes an execution of a Command. Each Command is logged. The logged Command includes the user, datetime the command was executed, and other relevant information. This gives us a full audit trail, undo-able commands, capability to "replay history", etc. The act of visiting a URL is also a Command, and is logged as such. Why? Because that way we can provide roughly similar functionality to sending a package "return receipt requested" If we send an email to a counterparty to a legal contract with a URL to the contract, we know that they saw the contract by observing a VisitURL Command with their user ID and the URL of the contract. That means they read the email and clicked on the URL we sent (or navigated to it through some other means). My application can then automatically send notifications to others based on the execution of the VisitURL Command. I can send email to my group saying "So and so has seen the contract" In this particular case, we are writing an invoicing application, so the moment the client "sees" the invoice this way, the Net-30 clock starts ticking.... If, after a reasonable period of time, we STILL haven't seen a VisitURL Command logged, we know that the recipient either hasn't read his mail or hasn't clicked on the URL. We can then send it to someone else or call his boss and complain ;-) --Craeg Craeg K Strong wrote:
Hello:
I would like to log the identity of the authenticated user for *every* URL traversal within my Zope Product.
For example, let's say that my forms-based web application contains 50 screens. They are all protected such that only authenticated users can view them. Any one of them could be bookmarked, so a user could "jump in" at any point.
I want to record the fact that a user visited a screen, each and every time they do so.
A natural place to do this would be in a pre-traversal hook, but I seem to be stymied by the lack of authentication information in __bobo_traverse__ or __before_publishing_traverse__
Can anyone think of a way this could be done?
I suppose I could hack all of my ZPTs to call a "registerUser" method by putting it in an empty <span> in their shared header, but that seems to mix concerns. Why should my ZPTs have knowledge of this workflow requirement?
Thanks in advance!
--Craeg
If we send an email to a counterparty to a legal contract with a URL to the contract, we know that they saw the contract by observing a VisitURL Command with their user ID and the URL of the contract. That means they read the email and clicked on the URL we sent (or navigated to it through some other means).
Correct.
My application can then automatically send notifications to others based on the execution of the VisitURL Command. I can send email to my group saying "So and so has seen the contract"
Incorrect.
In this particular case, we are writing an invoicing application, so the moment the client "sees" the invoice this way, the Net-30 clock starts ticking....
This shows that they read the original email, and intended to view the contract at the URL. However, after that point, we only know that Zope attempted to send the page at the URL back to the browser. You have no proof that such data was ever received by the browser in any way meaningful to the end-user. This gets even more complicated when http proxies are involved. -- Steve Alexander
Steve Alexander wrote:
My application can then automatically send notifications to others based on the execution of the VisitURL Command. I can send email to my group saying "So and so has seen the contract"
Incorrect.
This shows that they read the original email, and intended to view the contract at the URL. However, after that point, we only know that Zope attempted to send the page at the URL back to the browser. You have no proof that such data was ever received by the browser in any way meaningful to the end-user. This gets even more complicated when http proxies are involved.
You are right, of course, but I believe that, for our purposes, this is a distinction without a difference. The notification is purely for administrative purposes-- just a convenient reminder to our client if their invoice has not been paid yet. If *their* client denies that they have seen the invoice, we don't have a legal basis for non-repudiation, but as it turns out, this is a pretty rare problem in practice. I suppose the only way to legally guarantee that someone has seen something delivered as a web page is for them to attach their digital signature to the form and submit it back to the server. Ultimately we will probably have to do this, but for now the VisitURL notification is enough... --Craeg
On Tuesday 08 Oct 2002 10:48 pm, Craeg K Strong wrote:
Hello:
I would like to log the identity of the authenticated user for *every* URL traversal within my Zope Product.
For example, let's say that my forms-based web application contains 50 screens. They are all protected such that only authenticated users can view them. Any one of them could be bookmarked, so a user could "jump in" at any point.
I want to record the fact that a user visited a screen, each and every time they do so.
A natural place to do this would be in a pre-traversal hook, but I seem to be stymied by the lack of authentication information in __bobo_traverse__ or __before_publishing_traverse__
Can anyone think of a way this could be done?
It cant be done *inside* either of these methods because authentication is not performed until after traversal has been completed. I guess it would be useful for you to have access to other information, such as the response code and body length, that are only available once the request has been fully processed. I have a product which does a similar job. The cleanest implementation I could find was use one of the methods you suggest to call the REQUEST._hold method. This gets the request object to hold on to the object you provide, and delete its reference when the request is finished. Your object can provide a __del__ method that performs the real work. Thats nasty, but it works. I would be interested if you could find anything nicer.
participants (5)
-
Andy McKay -
Craeg K Strong -
Steve Alexander -
Tim McLaughlin -
Toby Dickenson