At 15:11 14/10/99 , Jason Cunliffe wrote:
Hello
Like most here I am very impressed with Zope - concept, community, scope, potential etc. and am specifying Zope for an upcoming maritime transport e-commerce project. Users & End-users (are there really ever such a group?) may be using our 'smart-map' web site from kjhkh-knows-what machine, fdsf-knows-where.
I am concerned about how to prevent access to management screens when someone does not fully quit the web browser after a management session. Either I have missed something so basic about zope permissions, or it has missed my application.context.
It seems that if I log-on as zope site manager/developer/contentprovider, and do some priviledged site work, but then walk away from the browser [ even though I have left it on another URL entirely], then the next person can step up to the machine, click 'back', use 'history', or type in www.mysite.com:8080/somefolder/manage - and bingo slide back into my shoes with those powers!
...oops! ouch.. Tell me I am wrong please. If this is true what does anyone recommend?
Yes, I can give people beautifully written instructions: DO NOT do 'thisXYZABC'- please_Youvebeenwarned' .. but real-world conditions with people I may never meet, who don't speak English very well, or are using a Kiosk terminal etc are another matter. [not to mention speaking simple webese- or intermediate zope/python not too well]
Is there some nice code {Javascipt/Zope} you can think of to check the fact once the browser focus has moved onto another page or something, then I am obliged to re-enter user:password information?
Ditto what can I do when a user of the browser has selected the 'remember password' item? Is there a clean way to zope around this?
You could switch to cookie based authentication. UserDB, a User Folder that authenticates against a backend RDBMS, supports cookies, and so does the User Folder that is used at zope.org. Cookies you can expire, and that browser with the 'remember password' can be told to forget about a certain HTML password input box (which it normally could aslo remember for you). -- Martijn Pieters, Web Developer | Antraciet http://www.antraciet.nl | Tel: +31-35-7502100 Fax: +31-35-7502111 | mailto:mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 ------------------------------------------