-----Original Message----- From: Guy Davis [mailto:davis@arc.ab.ca]
I am trying to disallow anonymous access for all but a handful of domains. This is easy to do with Apache, but how can it be done with Zope?
The only thing I could think of was to have the following in the standard_html_header.
<dtml-if "AUTHENTICATED_USER == 'Anonymous User'" > {if remote address is acceptable} {show the true page} {else show an error message} <dtml-else> {show the true page} </dtml-if>
However the above expression never evaluates to true even when <dtml-var AUTHENTICATED_USER> shows 'Anonymous User' on the same page. If I try to use string.find(), Zope complains that AUTHENTICATED_USER is a bad arguement.
Is there someway to salvage what I'm doing, or better yet is there a simpler mechanism to achieve this goal? Thanks.
Yes. You can make a new Role, let's call it DomainUser. You give this Role all privileges that the Anonymous Role has, and you revoke all rights from the Anonymous Role. Now you create a new user, and call this AnonymousDomainUser. This user you give _no_ password, just leave the password fields blank. You do specify the domains however; it is a space separated list of domain specs, where each domain spec can be either a domain name, or an IP address, where wildcards can be used anywhere between the dots. For example: *.zope.org *.digicool.com 192.8.*.* is a valid domain spec. And you also give the user the DomainUser Role. Now, as soon as a visitor comes to your site from a domain that matches the domain spec, Zope will, without asking for a password, match him against the AnonymousDomainUser User, give him the DomainUser Role, and grant that visitor access. Anyone from any other domain will be prompted for a username and password. -- Martijn Pieters, Software Engineer | Digital Creations http://www.digicool.com | Creators of Zope http://www.zope.org | mailto:mj@digicool.com ICQ: 4532236 | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 -------------------------------------------