[Zope] HowTo configure premissions for LoginManager?

7 Mar 2001

      I have just setup a LoginManager following 
the LoginManager with SQL and Skinscripts by dlpierson.

Now I'm thinking about how to setup security for my LoginManager.
At the moment it's very open for anyone who has DTML permissions
on my lab server. Not so great.

LoginManager has premissions set to:

Manager --- All
Anonymous --- "Access contents information", "Use Database Methods" 
"Acquire permission settings?" --- None

Now, this is needed to allow Anonymous user to login.
But it also makes it possible for a Anonymous to access the following
DTML Method in the root folder:

<dtml-var standard_html_header>
<pre>
  <b>test.acl_users.getUser('a').username</b>
  <dtml-with test>
    <dtml-with acl_users>
      getUser('c').username: <dtml-var "getUser('c').username">
      getUser('c').password: <dtml-var "getUser('c').password">
      getUser('c').getRoles: <dtml-var "getUser('c').getRoles()">
    </dtml-with>
  </dtml-with>
</pre>
<pre>
  <b>dtml-in "sql_getUserFor(username='c')"</b>
  <dtml-with test>
    <dtml-with acl_users>
      <dtml-in "sql_getUserFor(username='c')"> 
         username: <dtml-var username>
         password: <dtml-var password>
      </dtml-in>
    </dtml-with>
  </dtml-with>
<dtml-var standard_html_footer>

Which returns (where there is a user named 'c'):

test.acl_users.getUser('a').username
      getUser('c').username: c
      getUser('c').password: d
      getUser('c').getRoles: ['test']

dtml-in "sql_getUserFor(username='c')"
       username: c
       password: d

Now the question is how (and where) should I configure permissions
so LoginManager gets secured?

TIA/Johan Carlsson