hiding site content based upon a domain? (similar to htaccess)
Is there any way to restrict access to a section of a site (and all objects under it) to a particular domain, or to make a section/sub-objects available to only a particular domain? I'm basically trying to get some of the functionality of htaccess in a Zope setup. cheers tone. ------ Dr Tony McDonald, FMCC, Networked Learning Environments Project http://nle.ncl.ac.uk/ The Medical School, Newcastle University Tel: +44 191 222 5888 Fingerprint: 3450 876D FA41 B926 D3DD F8C3 F2D0 C3B9 8B38 18A2
At 09:48 05/08/99 , Tony McDonald wrote:
Is there any way to restrict access to a section of a site (and all objects under it) to a particular domain, or to make a section/sub-objects available to only a particular domain?
Yup, users can have a 'domains' list. If you define a user specifically for the domain you want to limit access to, with no password but with the Domains field filled in, all users from that domain are authenticated as that user. The Domains property is of type 'tokens', so you can fill in a list of domains, and use wildcards as well. Domains of type 10.1.*.* work fine, as do *.antraciet.nl types. -- Martijn Pieters, Web Developer | Antraciet http://www.antraciet.nl | Tel: +31-35-7502100 Fax: +31-35-7502111 | mailto:mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 ------------------------------------------
At 12:55 pm +0200 5/8/99, Martijn Pieters wrote:
At 09:48 05/08/99 , Tony McDonald wrote:
Is there any way to restrict access to a section of a site (and all objects under it) to a particular domain, or to make a section/sub-objects available to only a particular domain?
Yup, users can have a 'domains' list. If you define a user specifically for the domain you want to limit access to, with no password but with the Domains field filled in, all users from that domain are authenticated as that user.
The Domains property is of type 'tokens', so you can fill in a list of domains, and use wildcards as well. Domains of type 10.1.*.* work fine, as do *.antraciet.nl types.
Cheers Martijn, That's really cool, it works well. Problem is I'd like to deny access to people who aren't in that domain (preferably with a dtml doc that tells them why). Is there a way of doing this? tia tone ------ Dr Tony McDonald, FMCC, Networked Learning Environments Project http://nle.ncl.ac.uk/ The Medical School, Newcastle University Tel: +44 191 222 5888 Fingerprint: 3450 876D FA41 B926 D3DD F8C3 F2D0 C3B9 8B38 18A2
At 14:44 05/08/99 , Tony McDonald wrote: Cheers Martijn,
That's really cool, it works well. Problem is I'd like to deny access to people who aren't in that domain (preferably with a dtml doc that tells them why). Is there a way of doing this?
Hmm... Try making a user (anon?) that has an domain spec of *.*.*.* Also add a user (deny?) that has the domain spec you want to exclude. Now you _should_ be able to distinguish between the two in your standard_html_header and redirect deny to a page telling him that access is denied... If you find that the user anon always matches, try placing it in one the acl_users folder one step up in the hierarchy from the folder you defined deny in. All of this untested of course =) YMMV. Let us know if this works! -- Martijn Pieters, Web Developer | Antraciet http://www.antraciet.nl | Tel: +31-35-7502100 Fax: +31-35-7502111 | mailto:mj@antraciet.nl http://www.antraciet.nl/~mj | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 ------------------------------------------
At 4:43 pm +0200 5/8/99, Martijn Pieters wrote:
At 14:44 05/08/99 , Tony McDonald wrote: Cheers Martijn,
That's really cool, it works well. Problem is I'd like to deny access to people who aren't in that domain (preferably with a dtml doc that tells them why). Is there a way of doing this?
Hmm...
Try making a user (anon?) that has an domain spec of *.*.*.* Also add a user (deny?) that has the domain spec you want to exclude.
Now you _should_ be able to distinguish between the two in your standard_html_header and redirect deny to a page telling him that access is denied...
If you find that the user anon always matches, try placing it in one the acl_users folder one step up in the hierarchy from the folder you defined deny in.
All of this untested of course =) YMMV.
Let us know if this works!
Ok, here's where I'm at: acl_users folder in the folder I want to protect has some users as well as the special user 'ValidUser' who has the domain *.ncl.ac.uk and no password. (for testing purposes I've set the domain to be nonexistantbox.ncl.ac.uk) You're right Martijn, in that I needed to put my anonymous user (called AnonUser) in the acl_users folder above. That person has domain *.*.*.* and no password. If I attempt to access the folder that has ValidUser (from a machine *not* in the correct domain, ie for this example I'm coming in from a box that isn't called 'nonexistantbox'), some code in index_html tells me that AUTHENTICATED_USER is AnonUser. If I change the ValidUser domain to be my machine, AUTHENTICATED_USER is ValidUser. Cool. So, I put some logic at the top of standard_html_header like so: <!--#if "AUTHENTICATED_USER=='AnonUser'"--> <!--#call "RESPONSE.redirect('denied')"--> <!--#/if--> <html> <head> etc etc And I *still* get the main page showing up and telling me I'm AnonUser (ie the page I get is what I should see if I'm ValidUser). Does standard_html_header do some other voodoo that isn't plainly obvious? baffled-ly, tone. ------ Dr Tony McDonald, FMCC, Networked Learning Environments Project http://nle.ncl.ac.uk/ The Medical School, Newcastle University Tel: +44 191 222 5888 Fingerprint: 3450 876D FA41 B926 D3DD F8C3 F2D0 C3B9 8B38 18A2
At 08:47 AM 8/6/99 +0100, Tony McDonald wrote:
So, I put some logic at the top of standard_html_header like so:
<!--#if "AUTHENTICATED_USER=='AnonUser'"--> <!--#call "RESPONSE.redirect('denied')"--> <!--#/if--> <html> <head> etc etc
And I *still* get the main page showing up and telling me I'm AnonUser (ie the page I get is what I should see if I'm ValidUser).
Does standard_html_header do some other voodoo that isn't plainly obvious?
No. The problem is that: <!--#if "AUTHENTICATED_USER=='AnonUser'"--> Should be: <!--#if "AUTHENTICATED_USER.name=='AnonUser'"--> Because AUTHENTICATED_USER is a user *object*, not a string. The string representation of a user object is its .name attribute, but if you try to just compare a user object to a string, it will always fail.
And I *still* get the main page showing up and telling me I'm AnonUser (ie the page I get is what I should see if I'm ValidUser).
Does standard_html_header do some other voodoo that isn't plainly obvious?
No. The problem is that:
<!--#if "AUTHENTICATED_USER=='AnonUser'"-->
Should be:
<!--#if "AUTHENTICATED_USER.name=='AnonUser'"-->
Because AUTHENTICATED_USER is a user *object*, not a string. The string representation of a user object is its .name attribute, but if you try to just compare a user object to a string, it will always fail.
Many thanks Indeed Phillip! - works like a charm! onwards and upwards..... tone. ------ Dr Tony McDonald, FMCC, Networked Learning Environments Project http://nle.ncl.ac.uk/ The Medical School, Newcastle University Tel: +44 191 222 5888 Fingerprint: 3450 876D FA41 B926 D3DD F8C3 F2D0 C3B9 8B38 18A2
"Phillip J. Eby" wrote:
At 08:47 AM 8/6/99 +0100, Tony McDonald wrote:
So, I put some logic at the top of standard_html_header like so:
<!--#if "AUTHENTICATED_USER=='AnonUser'"--> <!--#call "RESPONSE.redirect('denied')"--> <!--#/if--> <html> <head> etc etc
And I *still* get the main page showing up and telling me I'm AnonUser (ie the page I get is what I should see if I'm ValidUser).
Does standard_html_header do some other voodoo that isn't plainly obvious?
No. The problem is that:
<!--#if "AUTHENTICATED_USER=='AnonUser'"-->
Should be:
<!--#if "AUTHENTICATED_USER.name=='AnonUser'"-->
Because AUTHENTICATED_USER is a user *object*, not a string. The string representation of a user object is its .name attribute, but if you try to just compare a user object to a string, it will always fail.
Actually: <!--#if "_.str(AUTHENTICATED_USER)=='AnonUser'"--> is better, because it doen't rely on the name attribute. Jim -- Jim Fulton mailto:jim@digicool.com Python Powered! Technical Director (888) 344-4332 http://www.python.org Digital Creations http://www.digicool.com http://www.zope.org Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email address may not be added to any commercial mail list with out my permission. Violation of my privacy with advertising or SPAM will result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.
participants (4)
-
Jim Fulton -
Martijn Pieters -
Phillip J. Eby -
Tony McDonald