re: struggeling with a sessionbased LoginMethod
Hi, thanks for the tip, but it didn't solve the problem. But I found a workaround after trying many different things, it's a hack but it works :-) in the index_html, I put: <dtml-var header> <dtml-try> <dtml-var content> <dtml-except> <FORM action="<dtml-var "idUrl(url='login')">" method="POST"> <tr height="4"> <td colspan=2 width="650" height="4"> <b>Bitte melden Sie sich zunächst an</b></font></td> </tr> <TR> <th>Benutzer</th> <td> <input type="hidden" name="GalileoSession" value="<dtml-var expr="sdm.getToken()">"> <input type="string" name="__ac_name" size=40></td> </TR> <TR> <th>Passwort</th> <td><input type="password" name="__ac_password" size=40></td> </TR> <TR><TD> </TD> <td> <input type="hidden" name="goto" value="<dtml-var HTTP_REFERER>"> <input type="submit" name="LogMeIn" value=" Log In "> </td> </TR> <dtml-try> <dtml-if "REQUEST.has_key('LogMeIn') and AUTHENTICATED_USER.getUserName() != 'Anonymous User'"> <dtml-var mitte> </dtml-if> I had to put in the Form directly anything else didn't work. login/content looks like this: <table with="100%" border="0"> <dtml-with "AUTHENTICATED_USER"> <table border="0" cellpadding="0" cellspacing="2" width="450"> <dtml-if "AUTHENTICATED_USER.getUserName() == 'Anonymous User'"> <dtml-if "REQUEST.has_key('LogMeIn')"> <tr><td> Login failed !! </td></tr> </dtml-if> <FORM action="<dtml-var "idUrl(url='./')">" method="POST"> <tr height="4"> <td colspan=2 width="650" height="4"> <b>Bitte melden Sie sich an</b></font></td> </tr> <TR> <th>Benutzer</th> <td> <input type="hidden" name="GalileoSession" value="<dtml-var expr="sdm.getToken()">"> <input type="string" name="__ac_name" size=40></td> </TR> <TR> <th>Passwort</th> <td><input type="password" name="__ac_password" size=40></td> </TR> <TR><TD> </TD> <td> <input type="hidden" name="goto" value="<dtml-var HTTP_REFERER>"> <dtml-comment ""> <input type="hidden" name="goto" value="<dtml-var expr="idUrl(url=HTTP_REFERER)">"> </dtml-comment> <input type="submit" name="LogMeIn" value=" Log In "> </td> </TR> </FORM> <dtml-else> <dtml-if "REQUEST.has_key('goto')"> <dtml-in "SQL_gesperrt(benutzer=AUTHENTICATED_USER.getUserName())"> <dtml-call "REQUEST.set('frei',freigegeben)"> </dtml-in> <dtml-if "frei == 's'"> <b>Dieser Benutzer ist gesperrt.</b> <dtml-else> <dtml-call "RESPONSE.redirect(goto)"> </dtml-if> </dtml-if> </dtml-if> </dtml-with> </table> The code at the bottom covers a special case in this application, where the user access is locked. The interesting and remaining problem is, that if the condition is true, the Text is displayed twice !!!!!!! On Thu, 8 Nov 2001, Andrew Kenneth Milton wrote:
Hi there, someone asked me to drop you a line about your problem you posted on zope-dev.
I can't directly help you with LoginManager, which you might be tied to.
I'm the principal developer of exUserFolder. Which is an extensible user folder, that lets you write auth plugins. It's fairly easy to write them from scratch. This isn't a plug, just a warning d;)
I can reproduce the behaviour you are seeing, *if* inside the locked folder I allow "View" permission to Anonymous on content. Then it throws the Basic Auth instead of the Form Auth it should throw as it tries to access protected objects (this is because the acquired object is above the level where the acl_users that uses Cookie Auth is) this is normally standard_html_header.
It might be as simple as turning of View for Anonymous on content inside testFolder, this will force the initial access to throw the Login Required exception in the right context.
If this works for you feel free to share with the zope-dev list.
I have tested the following setup;
/openFolder /openFolder/acl_users (exUserFolder using Cookie Auth) /openFolder/index_html /openFolder/lockedFolder/ /openFolder/lockedFolder/content
In all cases access to lockedFolder uses the form based login, calling content directly, and calling index_html (which is acquired) and calling lockedFolder/ without explicitly calling index_html. This is without View for Anonymous allowed.
-- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|
Mit freundlichen Grüßen Joachim Schmitz AixtraWare, Ing. Büro für Internetanwendungen Hüsgenstr. 33a, D-52457 Aldenhoven Telefon: +49-2464-8851, FAX: +49-2464-905163
+-------[ Joachim Schmitz ]---------------------- | Hi, | | thanks for the tip, but it didn't solve the problem. But I found a | workaround after trying many different things, it's a hack but it works :-) It's probably something in your header. An exception is being thrown by an acquired object, which is a level above your acl_users folder, or during the display of the loginform. If your loginform includes your header, you need to make sure that View perms are explicitly allowed for your header (and for anything else called by your loginform). This is definitely a permissions based problem. You just have to work out which object it is that has the wrong permissions on it. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|
On Thu, 8 Nov 2001, Andrew Kenneth Milton wrote:
+-------[ Joachim Schmitz ]---------------------- | Hi, | | thanks for the tip, but it didn't solve the problem. But I found a | workaround after trying many different things, it's a hack but it works :-)
It's probably something in your header. An exception is being thrown by an acquired object, which is a level above your acl_users folder, or during the display of the loginform.
If your loginform includes your header, you need to make sure that View perms are explicitly allowed for your header (and for anything else called by your loginform).
This is definitely a permissions based problem. You just have to work out which object it is that has the wrong permissions on it.
I thought so too, and I just removed any other references so there is just the bare Form, without any other includes, still it does not use the loginForm, which it does, when I call content directly, so: AppFolder/protectFolder/content works AppFolder/protectFolder does not work also the ZDebugger tells me, after canceling the password-box, that Anonymous does not have access to "content" Mit freundlichen Grüßen Joachim Schmitz AixtraWare, Ing. Büro für Internetanwendungen Hüsgenstr. 33a, D-52457 Aldenhoven Telefon: +49-2464-8851, FAX: +49-2464-905163
+-------[ Joachim Schmitz ]---------------------- | | I thought so too, and I just removed any other references so there is just the | bare Form, without any other includes, still it does not use the loginForm, | which it does, when I call content directly, so: | | AppFolder/protectFolder/content works | | AppFolder/protectFolder does not work Are you acquiring index_html ? -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|
On Thu, 8 Nov 2001, Andrew Kenneth Milton wrote:
+-------[ Joachim Schmitz ]---------------------- | | I thought so too, and I just removed any other references so there is just the | bare Form, without any other includes, still it does not use the loginForm, | which it does, when I call content directly, so: | | AppFolder/protectFolder/content works | | AppFolder/protectFolder does not work
Are you acquiring index_html ?
Yes ! Mit freundlichen Grüßen Joachim Schmitz AixtraWare, Ing. Büro für Internetanwendungen Hüsgenstr. 33a, D-52457 Aldenhoven Telefon: +49-2464-8851, FAX: +49-2464-905163
+-------[ Joachim Schmitz ]---------------------- | | > | > Are you acquiring index_html ? | > | Yes ! is index_html calling something that is *inside* the locked folder? -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|
On Thu, 8 Nov 2001, Andrew Kenneth Milton wrote:
+-------[ Joachim Schmitz ]---------------------- | | > | > Are you acquiring index_html ? | > | Yes !
is index_html calling something that is *inside* the locked folder?
that's the idea of this setup, you have only one index_html in the root-folder which looks like this: <dtml-var header> <dtml-var content> <dtml-var footer> so you just setup a new folder with a content method in it. Mit freundlichen Grüßen Joachim Schmitz AixtraWare, Ing. Büro für Internetanwendungen Hüsgenstr. 33a, D-52457 Aldenhoven Telefon: +49-2464-8851, FAX: +49-2464-905163
+-------[ Joachim Schmitz ]---------------------- | | > | Yes ! | > | > is index_html calling something that is *inside* the locked folder? | | that's the idea of this setup, you have only one index_html in the root-folder | which looks like this: | | <dtml-var header> | <dtml-var content> | <dtml-var footer> | | so you just setup a new folder with a content method in it. You also have to be careful it doesn't just acquire one from above that it does have permissions for... try this; ------------------------------------------------------------------------ <dtml-var header> <dtml-try> <dtml-var content> <dtml-except Unauthorized> <dtml-call "RESPONSE.redirect('acl_users/docLogin?destination='+URL)"> </dtml-try> <dtml-var footer> ------------------------------------------------------------------------ This mess will change when the traversal security is fixed to stop when it reaches somewhere you don't have permissions to. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|
On Thu, 8 Nov 2001, Andrew Kenneth Milton wrote:
+-------[ Joachim Schmitz ]---------------------- | | > | Yes ! | > | > is index_html calling something that is *inside* the locked folder? | | that's the idea of this setup, you have only one index_html in the root-folder | which looks like this: | | <dtml-var header> | <dtml-var content> | <dtml-var footer> | | so you just setup a new folder with a content method in it.
You also have to be careful it doesn't just acquire one from above that it does have permissions for...
try this;
------------------------------------------------------------------------
<dtml-var header> <dtml-try> <dtml-var content> <dtml-except Unauthorized> <dtml-call "RESPONSE.redirect('acl_users/docLogin?destination='+URL)"> </dtml-try> <dtml-var footer>
------------------------------------------------------------------------
This mess will change when the traversal security is fixed to stop when it reaches somewhere you don't have permissions to.
thanks, that was the workaround similar to the one, I already found, didn't you see my mail on the list ? Mit freundlichen Grüßen Joachim Schmitz AixtraWare, Ing. Büro für Internetanwendungen Hüsgenstr. 33a, D-52457 Aldenhoven Telefon: +49-2464-8851, FAX: +49-2464-905163
+-------[ Joachim Schmitz ]---------------------- | | thanks, that was the workaround similar to the one, I already found, didn't | you see my mail on the list ? I'm not on the list... -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|
participants (2)
-
Andrew Kenneth Milton -
Joachim Schmitz