FW: Change roles with python
Hello all, Does anyone know how to change a role with python? I want to have some of the visitors to my site have a different role than Anonymous without having to login to the site. Thanks for any help! Andrew R.
Andrew R. Halko wrote at 2003-5-29 07:57 -0400:
Does anyone know how to change a role with python? I want to have some of the visitors to my site have a different role than Anonymous without having to login to the site.
How do you recognize them when they do not log in? Your best option (I think) is to make a custom UserFolder that uses your differentiating information to return separate users. Dieter
Well I want to give users with a certain IP range access to objects that regular visitors are not. I have a very large organization and I want everyone in the organization to be able to view certain content and they all will be within an IP range. Then I have another level of content that a user must login to view. Asking hundreds of people to register and also administrate them is nightmare/impossible. So I set up two Roles Intranet User and Internal User. My objects have a state associated with them which is also associated to the various roles. Now I would like to use an access rule to check the users IP address and then set the role for them to be an Intranet User. Administration would be a nightmare otherwise for my needs. I have determined this to be the best way if possible. I figured that since roles have to be set somewhere, that it would be possible. Thanks for any help! This is a huge factor for my project at this point. F.Y.I - I am using Plone on top of Zope, but no one on that mailing list had any responses for this question Andrew R. Halko -----Original Message----- From: Dieter Maurer [mailto:dieter@handshake.de] Sent: Thursday, May 29, 2003 2:48 PM To: Andrew R. Halko Cc: Zope@zope.org Subject: Re: [Zope] FW: Change roles with python Andrew R. Halko wrote at 2003-5-29 07:57 -0400:
Does anyone know how to change a role with python? I want to have some of the visitors to my site have a different role than Anonymous without having to login to the site.
How do you recognize them when they do not log in? Your best option (I think) is to make a custom UserFolder that uses your differentiating information to return separate users. Dieter
Andrew R. Halko wrote at 2003-5-29 15:21 -0400:
Well I want to give users with a certain IP range access to objects that regular visitors are not. I have a very large organization and I want everyone in the organization to be able to view certain content and they all will be within an IP range. Then I have another level of content that a user must login to view. Asking hundreds of people to register and also administrate them is nightmare/impossible.
The built-in UserFolder has such a feature: When you define a user with empty password and domain restriction, then requests coming from this domain are associated with this user provided it provides the required roles. This feature is now disabled by default but can be enabled on an instance base (look at the code, for details: --> "AccessControl/User.py").
So I set up two Roles Intranet User and Internal User. My objects have a state associated with them which is also associated to the various roles. Now I would like to use an access rule to check the users IP address and then set the role for them to be an Intranet User.
This will not work (easily): Roles are managed by the User object. A User object is only created after traversal finished, there is not yet a User object when AccessRules are executed. Dieter
In User.py there are some lines: _remote_user_mode=_remote_user_mode _domain_auth_mode=0 _emergency_user=emergency_user # Note: use of the '_super' name is deprecated. _super=emergency_user _nobody=nobody Is all I have to change the _domain_auth_mode=0 to be 1? Also, how would you put a range of IPs like a class C in the domain field? Sorry for all the questions, but here are a few just for pure interest and not a big deal if you don't answer. For a created user not to have a password, do they have to have a domain restriction? Can multiple ones be created with the same or different restrictions? Thanks for everything, I was getting worried I had no way to do it. Andrew R. Halko -----Original Message----- From: Dieter Maurer [mailto:dieter@handshake.de] Sent: Saturday, May 31, 2003 5:20 AM To: Andrew R. Halko Cc: Zope@zope.org Subject: RE: [Zope] FW: Change roles with python Andrew R. Halko wrote at 2003-5-29 15:21 -0400:
Well I want to give users with a certain IP range access to objects that regular visitors are not. I have a very large organization and I want everyone in the organization to be able to view certain content and they all will be within an IP range. Then I have another level of content that a user must login to view. Asking hundreds of people to register and also administrate them is nightmare/impossible.
The built-in UserFolder has such a feature: When you define a user with empty password and domain restriction, then requests coming from this domain are associated with this user provided it provides the required roles. This feature is now disabled by default but can be enabled on an instance base (look at the code, for details: --> "AccessControl/User.py").
So I set up two Roles Intranet User and Internal User. My objects have a state associated with them which is also associated to the various roles. Now I would like to use an access rule to check the users IP address and then set the role for them to be an Intranet User.
This will not work (easily): Roles are managed by the User object. A User object is only created after traversal finished, there is not yet a User object when AccessRules are executed. Dieter
Andrew R. Halko wrote at 2003-5-31 09:28 -0400:
In User.py there are some lines:
_remote_user_mode=_remote_user_mode _domain_auth_mode=0 _emergency_user=emergency_user # Note: use of the '_super' name is deprecated. _super=emergency_user _nobody=nobody
Is all I have to change the _domain_auth_mode=0 to be 1?
The user folder has also a method that can control the "_domain_auth_mode". You can call this method via Web to change to mode. That was, what I have been suggesting. But, you can modify the sources, too. Be careful with upgrades, then. Dieter
Sorry for all the questions. How do you override this setting? I have other users in this IP address range that I want to be able to login to other accounts. I noticed I can't logout of this account. Andrew R. Halko -----Original Message----- From: Dieter Maurer [mailto:dieter@handshake.de] Sent: Saturday, May 31, 2003 5:20 AM To: Andrew R. Halko Cc: Zope@zope.org Subject: RE: [Zope] FW: Change roles with python Andrew R. Halko wrote at 2003-5-29 15:21 -0400:
Well I want to give users with a certain IP range access to objects that regular visitors are not. I have a very large organization and I want everyone in the organization to be able to view certain content and they all will be within an IP range. Then I have another level of content that a user must login to view. Asking hundreds of people to register and also administrate them is nightmare/impossible.
The built-in UserFolder has such a feature: When you define a user with empty password and domain restriction, then requests coming from this domain are associated with this user provided it provides the required roles. This feature is now disabled by default but can be enabled on an instance base (look at the code, for details: --> "AccessControl/User.py").
So I set up two Roles Intranet User and Internal User. My objects have a state associated with them which is also associated to the various roles. Now I would like to use an access rule to check the users IP address and then set the role for them to be an Intranet User.
This will not work (easily): Roles are managed by the User object. A User object is only created after traversal finished, there is not yet a User object when AccessRules are executed. Dieter
Andrew R. Halko wrote at 2003-5-31 10:38 -0400:
... domain auth mode ... How do you override this setting?
You cannot override it, but when the UserFolder works correctly, it should use this user only when its roles are sufficient for the current request. Otherwise, it should return None which results in an "Unauthorized" response (unless there is a UserFolder higher up which can authenticate the user with the required roles). The "sufficient" roles are determined (only) from the published object (i.e. the one located by traversal). Try to access an objects viewable only to (e.g.) "Manager" (e.g. "acl_users/manage_users"). You should get a login dialog (unless you have been logged in a "Manager"). Dieter
participants (2)
-
Andrew R. Halko -
Dieter Maurer