I want my standard_html_header to render differently if a person is a manager or a user. I have in the header <dtml-if "_.SecurityCheckPermission('View', login_py)"> Do something <dtml-else> <form action="login_py"> <input type="submit" value="Member login"></th> </form> </dtml-if> login_py is simply the line container.REQUEST.RESPONSE.redirect(container.REQUEST.HTTP_REFERER) but has the View permissions set to 'Manager/Owner/Authenticated'. When they click on the submit button, they will be prompted for a username and pass since Anonymous does not have view permission for login_py. What I want is for every page to have a login button if the user is not logged in, and display member information if the user is logged in. What happens instead is that the anonymous user gets asked for a password when visiting the site home index_html, which includes the standard_html_header. It appears that zope is trying to access the contents of login_py in the call to <dtml-if "_.SecurityCheckPermission('View', login_py)"> rather than simply check the permission, which surprises me. When I refuse to enter a password for the main site (which should have anonymous access and *does* without the SecurityCheckPermission part, I get the following traceback Traceback (innermost last): [ ... snip ...] File /workn/Zope-2.5.1b1-src/lib/python/DocumentTemplate/DT_With.py, line 76, in render (Object: site_params_py) File /workn/Zope-2.5.1b1-src/lib/python/DocumentTemplate/DT_Let.py, line 76, in render (Object: standard_header_table_params="'width=140 border=0 cellpadding=2 cellspacing=0'") File /workn/Zope-2.5.1b1-src/lib/python/DocumentTemplate/DT_Util.py, line 153, in eval (Object: _.SecurityCheckPermission('View', login_py)) (Info: login_py) File /workn/Zope-2.5.1b1-src/lib/python/OFS/DTMLMethod.py, line 151, in validate (Object: index_html) Unauthorized: You are not allowed to access login_py in this context Advice warmly welcomed, John Hunter Zope Version : (Zope 2.5.1b1 (source release, python 2.1, linux2), python 2.1.3, linux2) Python Version: 2.1.3 (#1, May 31 2002, 14:37:05) [GCC 3.0.4] System Platform linux2
John Hunter writes: [...]
What happens instead is that the anonymous user gets asked for a password when visiting the site home index_html, which includes the standard_html_header. It appears that zope is trying to access the contents of login_py in the call to
<dtml-if "_.SecurityCheckPermission('View', login_py)">
rather than simply check the permission, which surprises me.
Well, the anonymous visitor _is_ accessing "login_py" actually. (Zope does not check permissions on function call, but on attribute access.) Thus Your idea does not work that way. Instead You could check directly, if the user is anonymous, by inspecting "_.SecurityGetUser().getUserName=='Anonymous User'" or the like (sorry, if forgot the proper incantation ...) cheers, clemens
"Clemens" == Clemens Klein-Robbenhaar <robbenhaar@espresto.com> writes:
Clemens> John Hunter writes: [...] >> What happens instead is that the anonymous user gets asked for >> a password when visiting the site home index_html, which >> includes the standard_html_header. It appears that zope is >> trying to access the contents of login_py in the call to >> >> <dtml-if "_.SecurityCheckPermission('View', login_py)"> >> >> rather than simply check the permission, which surprises me. Clemens> Well, the anonymous visitor _is_ accessing "login_py" Clemens> actually. (Zope does not check permissions on function Clemens> call, but on attribute access.) Clemens> Thus Your idea does not work that way. Instead You Clemens> could check directly, if the user is anonymous, by Clemens> inspecting "_.SecurityGetUser().getUserName=='Anonymous Clemens> User'" or the like (sorry, if forgot the proper Clemens> incantation ...) Thanks -- you just forgot the () on getUserName. But I am still encountering some strangeness. I am now doing <dtml-if "_.SecurityGetUser().getUserName()=='Anonymous User'"> in standard_html_header and using the login_py with view set to manage permissions as before. I also calling <dtml-var "_.SecurityGetUser().getUserName()"> just for debug purposes. When I visit the main page from a newly loaded browser, it loads with a Members Login button as expected and user name reported as 'Anonymous User'. When I click on the submit button, I get the password box as expected, and enter in a user/passwd with manager permissions. Then I get redirected back to the referer as expected, but the user name is still reported by the dtml-var call as 'Anonymous User'. Refresh doesn't help. Now things get funny. If I then goto the manage screen with http://nitace.bsd.uchicago.edu:8080/template/manage I can access it because the authentication for 'user' was stored by the browser. If from the manage interface I click 'View', the user is now reported as 'user' and I get the user menu instead of the login button. If I then try to access the page directly again with http://nitace.bsd.uchicago.edu:8080/template I am back to being an anonymous user. Please feel free to take a look. The user is 'user' and the password is 'user1234'. Thanks, John Hunter
Hi John, [...]
Thanks -- you just forgot the () on getUserName.
oops :)
But I am still encountering some strangeness.
I am now doing
<dtml-if "_.SecurityGetUser().getUserName()=='Anonymous User'">
in standard_html_header and using the login_py with view set to manage permissions as before. I also calling
<dtml-var "_.SecurityGetUser().getUserName()">
just for debug purposes.
When I visit the main page from a newly loaded browser, it loads with a Members Login button as expected and user name reported as 'Anonymous User'. When I click on the submit button, I get the password box as expected, and enter in a user/passwd with manager permissions. Then I get redirected back to the referer as expected, but the user name is still reported by the dtml-var call as 'Anonymous User'. Refresh doesn't help.
... but it seems one is logged in, as pressing the "login" button does not cause a HTTP-auth window popping up,; nothing happens. Its stupid, but I can see the logged in user, if I try: http://nitace.bsd.uchicago.edu:8080/template/standard_html_header i.e. things have no effect if You call the header from another DTML, but calling the code directly works. I admit I am puzzled. Maybe someone else having more Zen can explain why authentification obtained by an called DTML-method is not visible on the next request, if the DTML is called indirectly. (Maybe it's a known Zope bug fixed log ago? Which version are You running?) Cheers, Clemens
participants (2)
-
Clemens Klein-Robbenhaar -
John Hunter