I have some confusion over how to build a web site in Zope which allows people to access the site either as a "normal" web site, or to access it for the purpose of maintenance. An example of this might be something like zope.org. I can visit www.zope.org and never be prompted for a password. I can visit all "public" sections without seeing a prompt. Yet I know that there is a management interface underneath. How is this handled? Another thing I would like to do (I think) is establish a "registered" user type. A registered user would be able to see more content than just the home page. When an attempt is made to access a "registered user" page by an unregistered user, I want to display a login page rather than a basic auth dialog. Can I do something like this with a Generic User Folder? Thanks James W. Howe mailto:jwh@allencreek.com Allen Creek Software, Inc. pgpkey: http://ic.net/~jwh/pgpkey.html Ann Arbor, MI 48103
At 10:59 am -0500 11/2/00, James W. Howe wrote:
I have some confusion over how to build a web site in Zope which allows people to access the site either as a "normal" web site, or to access it for the purpose of maintenance. An example of this might be something like zope.org. I can visit www.zope.org and never be prompted for a password. I can visit all "public" sections without seeing a prompt. Yet I know that there is a management interface underneath. How is this handled? Another thing I would like to do (I think) is establish a "registered" user type. A registered user would be able to see more content than just the home page. When an attempt is made to access a "registered user" page by an unregistered user, I want to display a login page rather than a basic auth dialog. Can I do something like this with a Generic User Folder?
Thanks
James W. Howe mailto:jwh@allencreek.com
1) There are no stupid questions 2) This may be a stupid answer, as authentication/User Access can get sticky.... Basically you add '/manage' to the end of urls. You'll then be prompted for a username/password (which is usually be the username/password pair in the 'access' file in the Zope directory). If additional users are defined in acl_users with the role 'manager' then they too can authenticate in this way. Alternatively, *you* can add restraints to people using the site. This is done by turning off 'Acquire Permission Settings' for the 'View' permission on a file or folder. You then turn on the permission for the 'Owner' role. When someone tries to access that file, they'll get the standard authentication dialog box pop up. If they are in the acl_users folder with role Owner they can get in by filling in the boxes. If you want authentication *in the HTML page itself* you MUST use something like UserDB or Generic User Folder, so you're correct there. The first one requires access to an SQL database (basically you edit the docLogin *property* in the acl_users folder). I have no experience with Generic User Folder, but it seems pretty good. Check out the HowTos for more details James, it's not too difficult to get some quite sophisticated permissions setups running under Zope (certainly much finer grained than a Unix system for example)! HTH Tone (who's 'doing his bit' for getting two answers today! :) ------ Dr Tony McDonald, FMCC, Networked Learning Environments Project http://nle.ncl.ac.uk/ The Medical School, Newcastle University Tel: +44 191 222 5888 Fingerprint: 3450 876D FA41 B926 D3DD F8C3 F2D0 C3B9 8B38 18A2
At 04:44 PM 2/11/00 +0000, Tony McDonald wrote:
At 10:59 am -0500 11/2/00, James W. Howe wrote:
I have some confusion over how to build a web site in Zope which allows people to access the site either as a "normal" web site, or to access it for the purpose of maintenance. [...]
Alternatively, *you* can add restraints to people using the site. This is done by turning off 'Acquire Permission Settings' for the 'View' permission on a file or folder. You then turn on the permission for the 'Owner' role. When someone tries to access that file, they'll get the standard authentication dialog box pop up. If they are in the acl_users folder with role Owner they can get in by filling in the boxes.
Let me describe a mechanism that I'm contemplating and see if it makes sense. I have a root folder named Foo which contains all the content for my web site. The Foo folder has a user folder defined for it. I create a new role called "registered". For each subfolder that I want to be publicly viewable I simply use the default security level. For any folder which is only accessible to registered users I change the security to prevent acquisition of the "Access Contents Information" and instead check it for all applicable roles other than anonymous. For example, I would select it for the "registered" role. The above seems to cover most of my site, however I still have a problem. My Foo root folder contains several "utility" type DTMLMethods. Under the scheme described above any user could view the methods if they typed the appropriate URL. The key thing is that I want the user to be able to view the index_html method, for example, but I don't want them arbitrarily accessing other methods. I suppose I could put my utility methods in their own folder, but then accessing them is more complicated. What do most people do to handle this situation? Thanks. James W. Howe mailto:jwh@allencreek.com Allen Creek Software, Inc. pgpkey: http://ic.net/~jwh/pgpkey.html Ann Arbor, MI 48103
"James W. Howe" wrote: ...
I have a root folder named Foo which contains all the content for my web site. The Foo folder has a user folder defined for it. I create a new role called "registered". For each subfolder that I want to be publicly viewable I simply use the default security level. For any folder which is only accessible to registered users I change the security to prevent acquisition of the "Access Contents Information" and instead check it for all applicable roles other than anonymous. For example, I would select it for the "registered" role.
The above seems to cover most of my site, however I still have a problem. My Foo root folder contains several "utility" type DTMLMethods. Under the scheme described above any user could view the methods if they typed the appropriate URL. The key thing is that I want the user to be able to view the index_html method, for example, but I don't want them arbitrarily accessing other methods. I suppose I could put my utility methods in their own folder, but then accessing them is more complicated. What do most people do to handle this situation?
Do the same thing for View as well for those methods you don't want 'any user' to access. It is down towards the bottom of the list. -- In flying I have learned that carelessness and overconfidence are usually far more dangerous than deliberately accepted risks. -- Wilbur Wright in a letter to his father, September 1900
participants (3)
-
Bill Anderson -
James W. Howe -
Tony McDonald