Problem with AUTHENTICATED_USER.has_role('X')"
I'm stumped. I have a block of dtml code in my standard_html_header file that is supposed to tailor the menu line depending upon the user's role (once authenticated). For example, the standard_html_header file contains something like: <dtml-if "AUTHENTICATED_USER.has_role('Manager')"> ... make a (more extensive) menu line <dtml-else> ... make a menu line for non-authenticated users </dtml-if> I have a login menu item for the non-authenticated users, giving them an opportunity to authenticate. The authentication scheme calls a DTML Method (named "logger") that has security settings such that the challenge/response routine is initiated. Once the user is able to run logger, it takes them back to the index_html file (with the standard_html_header file mentioned above). When comming from the logger object, the menu is constructed correctly (according to the user's role). However, when coming back to index_html from somewhere else (say another folder), it goes back to the non-authenticated menu as if I never logged in (i.e., the code of the AUTHENTICATED_USER has somehow changed or is being ignored). Note, when I click on the login menu button (calling the logger object, I immediately get the correct menu (without the challenge/response). Is there something to remedy this problem? TIA, Ron
It's better to do: <dtml-if "_.SecurityGetUser().has_role('Manager')"> REQUEST.AUTHENTICATED_USER can be less secure. I don't understand the other bit of your problem I'm afraid. Have you tried with another browser? I've found that cookie based authentication (I use CookieCrumbler) is far nicer for the user, especially for things such as logging out. Something to consider. A On 12/12/02 2:34 pm, "complaw@hal-pc.org" <complaw@hal-pc.org> wrote:
I'm stumped.
I have a block of dtml code in my standard_html_header file that is supposed to tailor the menu line depending upon the user's role (once authenticated). For example, the standard_html_header file contains something like:
<dtml-if "AUTHENTICATED_USER.has_role('Manager')"> ... make a (more extensive) menu line <dtml-else> ... make a menu line for non-authenticated users </dtml-if>
I have a login menu item for the non-authenticated users, giving them an opportunity to authenticate. The authentication scheme calls a DTML Method (named "logger") that has security settings such that the challenge/response routine is initiated. Once the user is able to run logger, it takes them back to the index_html file (with the standard_html_header file mentioned above). When comming from the logger object, the menu is constructed correctly (according to the user's role). However, when coming back to index_html from somewhere else (say another folder), it goes back to the non-authenticated menu as if I never logged in (i.e., the code of the AUTHENTICATED_USER has somehow changed or is being ignored). Note, when I click on the login menu button (calling the logger object, I immediately get the correct menu (without the challenge/response).
Is there something to remedy this problem?
TIA,
Ron
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
complaw@hal-pc.org writes:
... The authentication scheme calls a DTML Method (named "logger") that has security settings such that the challenge/response routine is initiated. Once the user is able to run logger, it takes them back to the index_html file (with the standard_html_header file mentioned above). When comming from the logger object, the menu is constructed correctly (according to the user's role). However, when coming back to index_html from somewhere else (say another folder), it goes back to the non-authenticated menu as if I never logged in (i.e., the code of the AUTHENTICATED_USER has somehow changed or is being ignored). According to the HTTP specification, a browser should automatically add authentication information for requests at the same level or below the object which required the authentication.
Thus, URLs going to a different subtree with not automatically get authentication information and are apparently accessed by "Annonymous". Workaround: Move your "logger" into the root of your Website. Some browsers (prominent example, early versions of IE 5.0) do not follow the HTTP "should" specification. If you have such a browser, upgrade to something better. Dieter
participants (3)
-
Andrew Veitch -
complaw@hal-pc.org -
Dieter Maurer