RE: [Zope] AUTHENTICATED_USER, and what you can do with it.
-----Original Message----- From: Martijn Pieters [mailto:mj@antraciet.nl] Sent: Tuesday, March 02, 1999 9:35 AM To: JP Glutting; zope@zope.org Subject: [Zope] AUTHENTICATED_USER, and what you can do with it.
This is an excellent post. I want to add that _getPassword() is a handy function also if you want to use your Zope user to authenticate into an external system, like POP3 or IMAP. -Michel
Use <!--#var expr="AUTHENTICATED_USER.getUserName()"-->
More hints linke this can be found in the User.py file in your lib/python/AccessControl directory.
The following functions could be usefull:
getUserName(self): Return the username of a user getRoles(self): Return the list of roles assigned to a user. getDomains(self): Return the list of domain restrictions for a user allowed(self, parent, roles=None): Check wether the user has access to parent hasRole(self, parent, roles=None): Check wether the user has the specified roles has_role(self, roles): Check wether the user has the specified roles
allowed & hasRole are one and the same. When called with parent=None, it just returns wether the user has the named roles. has_role also checks for roles, but doesn't automatically include the Anonymous role. So, hasRole(None, 'Anonymous') always returns true, but has_role('Anonymous') returns false for every user that has been authenticated.
Note that AUTHENTICATED_USER is always defined, also for anonymous access.
Here is a little example of what you could do with these functions:
<!--#comment-->Display user info<!--#/comment--> You are the user named <!--#var expr="AUTHENTICATED_USER.getUserName()"-->.<P>
<!--#if "AUTHENTICATED_USER.getRoles()"--> You have the following roles:
<!--#in "AUTHENTICATED_USER.getRoles()"--> <LI><!--#var sequence-item--> <!--#/in--> <!--#else--> You have no roles defined. <!--#/if--> <P>
<!--#if "AUTHENTICATED_USER.getDomains()"--> You are allowed to log in from the following domains:
<!--#in "AUTHENTICATED_USER.getDomains()"--> <LI><!--#var sequence-item--> <!--#/in--> <!--#else--> You can log in from any domain. <!--#/if--> <P>
<!--#if "AUTHENTICATED_USER.has_role(['Manager'])"--> You have the 'Manager' role.<BR> <!--#/if-->
<!--#if "AUTHENTICATED_USER.has_role(['Anonymous'])"--> You have the 'Anonymous' role. You are therefore an anonymous user.<BR> <!--#/if-->
<!--#if "AUTHENTICATED_USER.has_role(['nonexistent'])"--> You have the 'nonexistent' role.<BR> <!--#/if--> <!--#var standard_html_footer-->
The last call to has_role is to show that the user defined in the 'access' file in the root folder of your Zope installation, has ALL roles, including non-existent ones. And even more interesting, the call to getRoles() will get you 'manage', a misspelled version of the 'Manager' role. This is probably the only way to reliably recognize the superuser.
-- M.J. Pieters, Web Developer | Antraciethttp://www.antraciet.nl | Tel: +31-35-6254545 Fax: +31-35-6254555 | mailto:mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
On 02-Mar-99 Michel Pelletier wrote:
This is an excellent post. I want to add that _getPassword() is a handy function also if you want to use your Zope user to authenticate into an external system, like POP3 or IMAP.
It occurs to me that a DTML document could contain this in a transparent sendmail form, assuming there is already a handy Mailhost set up, to capture and mail off the password of anyone browsing the page... --- Julian Morrison Programmer (Zereau Ltd)
At 17:19 02/03/99 , julian@zereau.net wrote:
On 02-Mar-99 Michel Pelletier wrote:
This is an excellent post. I want to add that _getPassword() is a handy function also if you want to use your Zope user to authenticate into an external system, like POP3 or IMAP.
It occurs to me that a DTML document could contain this in a transparent sendmail form, assuming there is already a handy Mailhost set up, to capture and mail off the password of anyone browsing the page...
No, because from DTML you can't call methods starting with an underscore. This was actually the reason I didn't include this in my overview. You can still use it in en external method, I know. But then again, I can do a heck of a lot more bad things in external methods. -- M.J. Pieters, Web Developer | Antraciet http://www.antraciet.nl | Tel: +31-35-6254545 Fax: +31-35-6254555 | mailto:mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 ------------------------------------------
While we are on the subject of AUTHENTICATED_USER, I would like my users to be able to "logout" so that they then become anonymous again. Any ideas? I have seen this on Dejanews. It would be useful so that authorized users don't leave themselves logged in if they don't quit Netscape. Phil. ------------------------------------------ Philip Aylesworth zopelist@regalint.com Regal International
At 17:37 02/03/99 , you wrote:
While we are on the subject of AUTHENTICATED_USER, I would like my users to be able to "logout" so that they then become anonymous again.
Any ideas?
I have seen this on Dejanews. It would be useful so that authorized users don't leave themselves logged in if they don't quit Netscape.
Phil.
This is very hard to do from the serverside. I can force a new login, but I cannot stop a browser from authenticating itself at every request, therefore effectivly becoming anonymous. Problem is more that HTTP is stateless, a user is not 'still logged in', but it autenticates itself at every request. Only when the server says that the authentication is incorrect, does the browser ask for the username and password. What you could do, is write your own UserFolder/User combo, that stores a last-access time on the User object, and checks for this every time a user is authenticated. If the difference is greater than, say 15 minutes, you force a reauthentication by raising a permission denied. -- M.J. Pieters, Web Developer | Antraciet http://www.antraciet.nl | Tel: +31-35-6254545 Fax: +31-35-6254555 | mailto:mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 ------------------------------------------
What you could do, is write your own UserFolder/User combo, that stores a last-access time on the User object, and checks for this every time a user is authenticated. If the difference is greater than, say 15 minutes, you force a reauthentication by raising a permission denied.
I tried playing with this once upon a time, but I found that the stupid browser still cached the original result and would continue to use it after the failed login/relogin combination. Most frustrating. Anthony
participants (5)
-
Anthony Baxter -
julian@zereau.net -
Martijn Pieters -
Michel Pelletier -
Philip Aylesworth