This seems to all makes sense now...except I am still having problems. I have the security set for a directory such that no anon permissions are set, and 'view' is not set to aquire permissions....however, anybody can still view the page. Why is this so? I have jumped on another box, and the page loads up without prompting for any authentication! I was expecting it to only authenticate the owner or manager of the directory. terry Martijn Pieters wrote:
At 01:56 9-10-99 , Dyon Balding wrote:
It isn't that easy actually - it's a bit of a fiddle.
1) in the acl_users folder *above* where you want to deny access to, create a user 'AnonUser' with no password and domain = '*.*.*.*' 2) in the acl_users folder where you want access denied to, create a user 'AllowedUser' with no password and domain '*.your.domain' 3) In the standard_html_header in the second folder add some dtml code
<dtml-if "_.str(REQUEST['AUTHENTICATED_USER'])=='AnonUser'"> <dtml-call "RESPONSE.redirect('denied')"> </dtml-if> <html> etc etc
and create a DTML method called 'denied' that explains to the person what's going on. *Don't* use standard_html_header in the 'denied' method as you'll get infinite recursion.
This is a bit of a faff - I may well look at Apache rewrite rules to restrict access to a site as a whole.
that's pretty damn convoluted, our site, which i feel would be well suited to zope development requires quite a bit of authentication. we are a university department, and currently use an apache ldap module to authenticate. we have sections of the site that need to be limited to the department only, and other sections that need to be limited by other groups.
zope's authentication for management seems good, but there must be an easier way to limit user access.
any pointers?
I think Tony mixed up a tip from me on how to _exclude_ access from a certain domain. Zope's access control is very powerful and very simple, but if you want to exclude one domain from access you have to twist and wriggle a bit. Tony wriggled a bit further in that direction to get 'normal' access control.
Normally, you'd define a new Role (like 'Visitor'), that you give the permissions that the Anoonymous role normally has, and revoke all Anonymous permissions. Then you can assign that role to anyone you want to have access. See the Z Content Managers Guide on Zope.org
-- Martijn Pieters, Web Developer | Antraciet http://www.antraciet.nl | T: +31 35 7502100 F: +31 35 7502111 | mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 ---------------------------------------------
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
(Related lists - please, no cross posts or HTML encoding!
To receive general Zope announcements, see: http://www.zope.org/mailman/listinfo/zope-announce
For developer-specific issues, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )