thanks for the replies....I think Art has it figured out. Unfortunately it seems that unless I switch to cookies, I am not going to be able to make it worth like I had planned....that's fine....at least I understand how it works now....hopefully this will help others down the track who stumble on the same thing. It would be nice to get access to AUTHENTICATED_USER without necessarily challenging the browser. Darcy Art Hampton wrote:
I think I might be able to help.
If you're using cookie based authentication, read no further, I can't help.
If you're using basic authentication, you aren't (and won't be) challenging the remote browser.
With basic authentication, clients tend to send authentication info only if they are challenged to do so. Unfortunately, the only way to challenge them is to refuse to serve the document.
Because your document is visible to all users, the document is served. No challenge (unauthorized) is raised. Therefore the authentication info is never sent. Therefore you don't know who they are.
To verify this, add the line: <dtml-var "AUTHENTICATED_USER.getUserName()"> somewhere on the page (<dtml-var AUTHENTICATED_USER> should also work). It will say "Anonymous User" for the reasons stated above.
I had the same problem with my site, so I ended up creating an "Authenticated" role. I locked down the entire site so that you need the "Authenticated" group to view anything, with the exception of the login instructions on the front page of the site.
As I understand things, you can avoid this by using cookie based authentication. But that isn't currently an option for me.
Darcy Clark wrote:
I am trying to implement a mechanism to let managers edit content on a site that I am building. I have the following statement on various pages to add certain functionality to pages based on the Authenticated-users's roles:
<dtml-if "AUTHENTICATED_USER.has_role(['Manager'])">
blah blah (e.g. display an edit or delete button)
</dtml-if>
I am currently authenticating by a login link in the standard_html_header to a DTML document that opens in a new window and can only be viewed by a Manager (I edited the security setting for this particular object so that only managers could view it). If the manager logs in correctly, a javascript closes the login window, and reloads the original page to presumably now include the editing and deleting buttons on my content....but it doesn't work. Can anyone explain to me why if the authenticated user logs in to view a particular object, then why the above snippet of code doesn't return true in other objects within the same hierachy?
thanks in advance,
(I suspect I am not 'grokking' something here....heh)
-- --------------------------------------------------- Ph: (734) 764 3377 Email: darcyc@engin.umich.edu URL: http://www-personal.engin.umich.edu/~darcyc/ --------------------------------------------------- 'If you're not part of the solution, you're part of the precipitate' ..... Steven Wright