I'm new to Zope and having some trouble
understanding the user authentication procedures.
I've defined several user roles to suit my needs
(author, moderator, maintainer, partner, etc,...) and want to be able to provide
access to objects based on whether a user has priviledges dictated by those
roles, for the specific object. My problem is that I don't want Zope to handle
the authentication, rather I would like to provide a login form for
users.
Normally I would keep user data in and RDBMS, let
the user log in, I'd grab their permissions, issue a session_id either as a
cookie or part of the URL, and enter the session_id/permissions into a hashtable
or some other storage so that I could check it when I needed to, and delete it
when the session lapses or the user logs out.
Do I need to do essentially the same thing in Zope,
or is there some way that I can authenticate a user from a DTML login method and
have that authentication persist (and be queryable) throughout the user's
session until they log off?
It's my understanding that with HTTP
authentication, Zope will essentially manage the session persistence so that
later on I could use the AUTHENTICATED_USER object to find out who I'm dealing
with and act accordingly, but is their a way to do the authentication from DTML?
I can't seem to locate such method calls in the documentation, and I don't
know how Zope stores session information.
Of course, I could be looking at this the wrong
way. Is Zope's security setup even intended to provide ways of managing a user's
session and the content they can view and manipulate, or is it mainly intended
for managing access by people who will be dealing with Zope itself (this is what
all of the documentation examples tend toward)?
Any help will be greatly
appreciated....
Thanks,
Jason Jones