Hi Jens, I thought today about group to role mapping and the zope roles Anonymous and Authenticated. Am I right that Authenticated will be assigned if an user successfully validates against the LDAP server ? Do you think it is possible in LDAPUserFolder / LDAPRoleTwiddler to assign Authenticated only if an user is a member of a special LDAP group ? I came about this point while I develop our intranet with EasyPublisher which has the 4 standard zope roles + 2 roles for workflow and content management: Anonymous, Authenticated, Manager, Owner + Author & Reviewer If I want to restrict visitors on a special folder to view only public material this will be done via standard zope mechanism. If I want to allow a special group on authenticated users to access non public material I have a problem: I want to use standard zope mechanism (like skip_unauthorized). Authenticated users will get the role Authenticated. I can't differ between Authenticated users which have the rights to access the material an Authenticated users which aren't allowed to view the material. One qway out would be the definition of a new role, name it 'Viewer'. But then I have to programm special Role behaviour like <dtml-if AUTHENTICATED_USER.has_role('Viewer')> ... </dtml-if> If I could use the skip_unauthorized feature this would be more general. A possibility to say in LDAPRoleTwiddler something like: If not member of LDAP-group x than not role y. Can you give me your point of view ? Regards, Dirk
as far as the Authenticated role goes, it is never something you should assign programmatically in your own code. Authenticated is a role that generically says "this user is not just anonymous", and that's all. it is not supposed to be assigned by third-party code. i won't put any code into my products that allows the user to do so, either. what is the problem with using the standard zope mechanisms? creating a specific role in zope and maybe mapping some LDAP group to it should do the job. jens On Sunday, May 12, 2002, at 04:59 , Dirk Datzert wrote:
Hi Jens,
I thought today about group to role mapping and the zope roles Anonymous and Authenticated.
Am I right that Authenticated will be assigned if an user successfully validates against the LDAP server ?
Do you think it is possible in LDAPUserFolder / LDAPRoleTwiddler to assign Authenticated only if an user is a member of a special LDAP group ?
I came about this point while I develop our intranet with EasyPublisher which has the 4 standard zope roles + 2 roles for workflow and content management:
Anonymous, Authenticated, Manager, Owner + Author & Reviewer
If I want to restrict visitors on a special folder to view only public material this will be done via standard zope mechanism.
If I want to allow a special group on authenticated users to access non public material I have a problem:
I want to use standard zope mechanism (like skip_unauthorized). Authenticated users will get the role Authenticated. I can't differ between Authenticated users which have the rights to access the material an Authenticated users which aren't allowed to view the material.
One qway out would be the definition of a new role, name it 'Viewer'. But then I have to programm special Role behaviour like <dtml-if AUTHENTICATED_USER.has_role('Viewer')> ... </dtml-if>
If I could use the skip_unauthorized feature this would be more general.
A possibility to say in LDAPRoleTwiddler something like: If not member of LDAP-group x than not role y.
Can you give me your point of view ?
Regards, Dirk
participants (2)
-
Dirk Datzert -
Jens Vagelpohl