Site Access Rules and Permissions
Hi, I have the following access rule: <dtml-if "_.has_key('virtual_host') and REQUEST.environ['HTTP_HOST']==virtual_host"> <dtml-call "REQUEST.setURL(path='/')"> </dtml-if> The idea being that if a folder represents a virtual host (see the thread 'REQUEST vraible methods' on this list for background...) you can just give that folder a virtual_host property which the above rule checks for, and if it matches that in the header, if sets the base path to '/'. However, if I try and access any folder with this rule in it, I get challenged for authentication and get 'Authorization failed' no matter what username and password I use, including the root ones! What is going on? Chris
----- Original Message ----- From: Chris Withers <chrisw@nipltd.com>
I have the following access rule:
<dtml-if "_.has_key('virtual_host') and REQUEST.environ['HTTP_HOST']==virtual_host"> <dtml-call "REQUEST.setURL(path='/')"> </dtml-if>
However, if I try and access any folder with this rule in it, I get challenged for authentication and get 'Authorization failed' no matter what username and password I use, including the root ones!
Access Rules are triggered before authentication can be performed, so their permissions are nil. If you want them to access anything other than REQUEST (as you do) you must give them a Proxy role. Cheers, Evan @ digicool & 4-am
Evan, Cheers, gave an anonymous proxy role, worked a treat :-) I did notice while playing around with this that moving or copying DTML methods that have been set as site access rules did have some bizarre effects I wasn't expecting. I think when I copied one, it stopped working, or something like that...as well as some other such wierdities, is this to be expected? Chris PS: What do you, or anyone else for that matter, think of the rule as a solution to the problem in my earlier post? I don't *think* I need any magic folders or anything else, but I'd like to get a second (third, fourth and possibly fifth ;-) opinion before I put it into production... <dtml-if "_.has_key('virtual_host') and REQUEST.environ['HTTP_HOST']==virtual_host"> <dtml-call "REQUEST.setURL(path='/')"> </dtml-if> Evan Simpson wrote:
----- Original Message ----- From: Chris Withers <chrisw@nipltd.com>
I have the following access rule:
<dtml-if "_.has_key('virtual_host') and REQUEST.environ['HTTP_HOST']==virtual_host"> <dtml-call "REQUEST.setURL(path='/')"> </dtml-if>
However, if I try and access any folder with this rule in it, I get challenged for authentication and get 'Authorization failed' no matter what username and password I use, including the root ones!
Access Rules are triggered before authentication can be performed, so their permissions are nil. If you want them to access anything other than REQUEST (as you do) you must give them a Proxy role.
Cheers,
Evan @ digicool & 4-am
Hi! On Tue, 14 Mar 2000, Chris Withers wrote:
Cheers, gave an anonymous proxy role, worked a treat :-)
I'd more interested in fixing fast reload problem. There were some reports in the list, that after installing SiteAccess Zope sometimes hangs for a few seconds when you press Reload (in browser) a few times. I can confirm this behaviour, but I've never realized the problem is in SiteAccess - I never ran Zope without SiteAccess :) Oleg. ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
Yeah, I heard that too, well, hopefully Evan can shed some light when he wakes up :-) Chris Oleg Broytmann wrote:
Hi!
On Tue, 14 Mar 2000, Chris Withers wrote:
Cheers, gave an anonymous proxy role, worked a treat :-)
I'd more interested in fixing fast reload problem. There were some reports in the list, that after installing SiteAccess Zope sometimes hangs for a few seconds when you press Reload (in browser) a few times. I can confirm this behaviour, but I've never realized the problem is in SiteAccess - I never ran Zope without SiteAccess :)
Oleg. ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
----- Original Message ----- From: "Oleg Broytmann" <phd@phd.russ.ru>
I'd more interested in fixing fast reload problem. There were some reports in the list, that after installing SiteAccess Zope sometimes hangs for a few seconds when you press Reload (in browser) a few times. I can confirm this behaviour, but I've never realized the problem is in SiteAccess - I never ran Zope without SiteAccess :)
So you've confirmed this behavior, and it goes away if you remove SiteAccess? Does it matter whether you're using an Access Rule or SiteRoot, or is having the package installed enough to cause the problem? Cheers, Evan @ 4-am & digicool
On Tue, 14 Mar 2000, Evan Simpson wrote:
From: "Oleg Broytmann" <phd@phd.russ.ru>
I'd more interested in fixing fast reload problem. There were some reports in the list, that after installing SiteAccess Zope sometimes hangs for a few seconds when you press Reload (in browser) a few times. I can confirm this behaviour, but I've never realized the problem is in SiteAccess - I never ran Zope without SiteAccess :)
So you've confirmed this behavior, and it goes away if you remove
I never did it. I'll try to find a time to experiment.
SiteAccess? Does it matter whether you're using an Access Rule or SiteRoot,
I've never used AccessRule, only SiteRoot and env var SiteRootPATH.
or is having the package installed enough to cause the problem?
Will try it too... Oleg. ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
On Tue, 14 Mar 2000, Evan Simpson wrote:
I'd more interested in fixing fast reload problem. There were some
It seems on one of my computers the problem went away whe I tried to hunt :) - Zope 2.1.3 + SiteAccess 1.0.0 on Sun Sparc Solaris 2.5.1. I'll test linux installations later. I have problems upgrading to 2.1.5 - initially Zope came up well, but when I tried to install 3rd-party modules (including SiteAccess) - I could not login. I didn't traced the problem to SiteAccess or other product yet... Oleg. ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
Hello! Five minutes experiment - and the problem is narrowed down to SiteAccess. Clean and fresh install of Zope 2.1.5, than some 3rd-party modules - Zope came up well. install SiteAccess - and I cannot login to Zope. Authentication failed all the time. Seems SiteAccess became incompatible with latest Zope. Go back to 2.1.3, waiting for new Zopes and/or new SiteAccess' :) Oleg. ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
Oleg Broytmann wrote:
Hello!
Five minutes experiment - and the problem is narrowed down to SiteAccess. Clean and fresh install of Zope 2.1.5, than some 3rd-party modules - Zope came up well. install SiteAccess - and I cannot login to Zope. Authentication failed all the time. Seems SiteAccess became incompatible with latest Zope. Go back to 2.1.3, waiting for new Zopes and/or new SiteAccess' :)
I can confirm this, SiteAccess broke my 2.1.5 installation. Oleg, if you want 2.1.4 I can email it to you. ethan fremen -- http://mindlace.net __________________ mindlace@imeme.net I don't want The Truth but I wouldn't mind a Big Analogy.
On Mon, 20 Mar 2000, mindlace wrote:
I can confirm this, SiteAccess broke my 2.1.5 installation. Oleg, if you want 2.1.4 I can email it to you.
Thanks! But I have it, and I didn't remove 2.1.3 directories while installing 2.1.5 :) Being long term programmer and sysadmin I always do double, even triple backups, and do recommend this for all people! Oleg. ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
Hmmm, It would appear that a Site Root and a Site Access Rule containing the following are NOT the same: <dtml-call "REQUEST.setURL(base=SiteRootBASE, path=SiteRootPATH)"> as my site access rule didn't work :( (it left the URL, BASEx and absolute_url() unchanged) The only way I could solve it was to do the following: Site Access Rule: <dtml-in virtual_hosts> <dtml-if "REQUEST.environ['HTTP_HOST']==_['sequence-item']"> <dtml-call "REQUEST.set('SiteRootPATH','/')"> </dtml-if> </dtml-in> And then put an empty SiteRoot object in the folder of each virtually hosted site. Why did I need to do this? (more out of curiosity than anything else...) Also why do the SiteRoot objects have to be in the folder of the virtually hosted site? why can't I just have one in the root folder which gets picked up through aquisition (they're all blank anyway ;-) And, most importantly of all, why does adding a site access rule prevent FTP access to Zope? Chris
----- Original Message ----- From: "Chris Withers" <chrisw@nipltd.com>
I did notice while playing around with this that moving or copying DTML methods that have been set as site access rules did have some bizarre effects I wasn't expecting. I think when I copied one, it stopped working, or something like that...as well as some other such wierdities, is this to be expected?
Access Rules are designated by name within their container; If you rename them, copy them, or move them, the new/renamed method will not be a Rule unless you designate it as one.
PS: What do you, or anyone else for that matter, think of the rule as a solution to the problem in my earlier post? I don't *think* I need any magic folders or anything else, but I'd like to get a second (third, fourth and possibly fifth ;-) opinion before I put it into production...
<dtml-if "_.has_key('virtual_host') and REQUEST.environ['HTTP_HOST']==virtual_host"> <dtml-call "REQUEST.setURL(path='/')"> </dtml-if>
Looks good! This is similar to the solution that Digital Creations came up with, and is better, I think, than my SiteRoot behavior.
It would appear that a Site Root and a Site Access Rule containing the following are NOT the same: <dtml-call "REQUEST.setURL(base=SiteRootBASE, path=SiteRootPATH)">
Was this Rule living in the subfolder where the SiteRoot would have been?
Also why do the SiteRoot objects have to be in the folder of the virtually hosted site? why can't I just have one in the root folder which gets picked up through aquisition (they're all blank anyway
Location determines the point at which the SiteRoot affects the URLs. If they did their internal 'setURL' in the root, all that would allow is replacing the initial '/' with the path of your choice, when what you want is to replace '/foo' (or whatever) with '/'. A variant of the SiteRoot scheme in which you could say "replace /foo with /" in the root would require either rewriting the URLn/BASEn and absolute_url code to include the replacement, or a hook after traversal completes which allowed the replacement to be done before rendering the final object. Either would work.
And, most importantly of all, why does adding a site access rule prevent FTP access to Zope?
This is news to me! Prevents how? What are the symptoms, and does it matter what the Rule does? Cheers, Evan @ 4-am & digicool
Hi Evan :-)
Access Rules are designated by name within their container; If you rename them, copy them, or move them, the new/renamed method will not be a Rule unless you designate it as one.
So, it's okay to copy a Site Access Rule DTML method to another folder and then set as a Site Access rule in that folder? I could have sworn when I tried it, the original stopped working too... ...but I was probbably wrong...
<dtml-if "_.has_key('virtual_host') and REQUEST.environ['HTTP_HOST']==virtual_host"> <dtml-call "REQUEST.setURL(path='/')"> </dtml-if>
Looks good! This is similar to the solution that Digital Creations came up with, and is better, I think, than my SiteRoot behavior.
Cool :-)
It would appear that a Site Root and a Site Access Rule containing the following are NOT the same: <dtml-call "REQUEST.setURL(base=SiteRootBASE, path=SiteRootPATH)">
Was this Rule living in the subfolder where the SiteRoot would have been?
Nope... I was hoping just to have one Site Root Access rule that got aquired for each site. Is that not possible? :S Chris
----- Original Message ----- From: Chris Withers <chrisw@nipltd.com>
So, it's okay to copy a Site Access Rule DTML method to another folder and then set as a Site Access rule in that folder? I could have sworn when I tried it, the original stopped working too... ...but I was probbably wrong...
That should work fine. The only weird detail here is that the *icon* of the method probably won't update correctly unless/until you make it not a Rule before copying/renaming/moving it. That's because the icon change is a kludge.
Was this Rule living in the subfolder where the SiteRoot would have been?
Nope... I was hoping just to have one Site Root Access rule that got aquired for each site. Is that not possible? :S
Access Rules are *NEVER* acquired. If they were, you'd have to think about what they might do in every single contained folder. Cheers, Evan @ digicool & 4-am
participants (4)
-
Chris Withers -
Evan Simpson -
mindlace -
Oleg Broytmann