How to properly do navigation Bar without un-authorized sub-objects?
I need to "hand generate" a navigation bar, showing only those subobjects to which the current user is authorized to view. It seems as if I'd get an AttributeError when trying to access items that I can't access, but with LoginManager it pops up a login box.. Which I don't want. My design is to have each "folder" have its own "DrawNavBar" DTML- Method, whose job it is to generate it's own html.. If that folder has sub- folders, than that folder's DrawNavBar should call it's sub-folders DrawNavBar functions. To avoid a recursive loop resolving DrawNavBar, I use aq_explicit, like this: <dtml-try> <dtml-var "_.getattr(PARENTS[-1].Z.Admin.aq_explicit,'ShowNavBar')(_.None,_)"> <dtml-except AttributeError> </dtml-try> The problem with this is that I get a login prompt from LoginManager if I'm anonymous.. I suppose I could use something like dtml-in to only show those objects to which I'm authorized, but I don't want to enumerate the contents of the folder, since I know exactly what I'm looking for. So.. given an explcit path, how can I find out if the current user can 'access' that path item, such as a DTML-method? I'm not asking Zope to confirm that the object exists if I don't have access to it.. just say "no such object" or "here's the object" and not use acquisition to find it up the path. Ideas? Thanks Brad Clements, bkc@murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements
Brad Clements wrote: [snip]
To avoid a recursive loop resolving DrawNavBar, I use aq_explicit, like this:
<dtml-try> <dtml-var "_.getattr(PARENTS[-1].Z.Admin.aq_explicit,'ShowNavBar')(_.None,_)"> <dtml-except AttributeError> </dtml-try>
The problem with this is that I get a login prompt from LoginManager if I'm anonymous..
[snip] Did you try setting a proxy role on the ShowNavBar method that can execute this? -- | Casey Duncan | Kaivo, Inc. | cduncan@kaivo.com `------------------>
On 27 Feb 2001, at 8:46, Casey Duncan wrote:
Brad Clements wrote: [snip]
To avoid a recursive loop resolving DrawNavBar, I use aq_explicit, like this:
<dtml-try> <dtml-var "_.getattr(PARENTS[-1].Z.Admin.aq_explicit,'ShowNavBar')(_.None,_)"> <dtml-except AttributeError> </dtml-try>
The problem with this is that I get a login prompt from LoginManager if I'm anonymous..
[snip]
Did you try setting a proxy role on the ShowNavBar method that can execute this?
No.. I don't want it to show if the logged in user doesn't have rights to it. I want a way to see, in DTML (or an external method), if the current user has rights to an object.. if they have rights, does the object exist. If they don't have rights, it's okay to raise an exception (AttributeError) which I can catch. But I don't want the SecurityManager to try to authenticate our access to it.. Brad Clements, bkc@murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements
Brad Clements wrote:
Did you try setting a proxy role on the ShowNavBar method that can execute this?
No.. I don't want it to show if the logged in user doesn't have rights to it.
I want a way to see, in DTML (or an external method), if the current user has rights to an object.. if they have rights, does the object exist.
If they don't have rights, it's okay to raise an exception (AttributeError) which I can catch. But I don't want the SecurityManager to try to authenticate our access to it..
Brad Clements, bkc@murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements
OK, how about if you call AUTHENTICATED_USER.has_permission() on each NavBar method to see if the user has rights to call it? -- | Casey Duncan | Kaivo, Inc. | cduncan@kaivo.com `------------------>
On 27 Feb 2001, at 9:15, Casey Duncan wrote:
OK, how about if you call AUTHENTICATED_USER.has_permission() on each NavBar method to see if the user has rights to call it?
That does not work either. When I get the object to pass to has_permission, authentication kicks in. Here's what I'm doing / Z (folder) ShowNavBar Method Admin (folder) (No rights to this folder) ShowNavBar Method I need to know if the authenticated user (who may be anonymous) has rights to view Admin and/or Admin.ShowNavBar Seems there's no way to get the Admin object for use with has_permission without firing off authentication. Brad Clements, bkc@murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements
Brad Clements wrote:
On 27 Feb 2001, at 9:15, Casey Duncan wrote:
OK, how about if you call AUTHENTICATED_USER.has_permission() on each NavBar method to see if the user has rights to call it?
That does not work either. When I get the object to pass to has_permission, authentication kicks in.
Here's what I'm doing
/ Z (folder) ShowNavBar Method
Admin (folder) (No rights to this folder) ShowNavBar Method
I need to know if the authenticated user (who may be anonymous) has rights to view Admin and/or Admin.ShowNavBar
Seems there's no way to get the Admin object for use with has_permission without firing off authentication.
You should be able to avert the login box like so: <dtml-try> Whatever might fail due to lack of permissions <dtml-except Unauthorized> Whatever you do if not authorized (if anything) </dtml-try> I tried this on a similar hierarchy with a anonymous callable method in an upper folder trying to call a method in a restricted folder lower down the tree. It excepted without poping up the login box. -- | Casey Duncan | Kaivo, Inc. | cduncan@kaivo.com `------------------>
Hi, --On Dienstag, 27. Februar 2001 11:29 -0500 Brad Clements <bkc@murkworks.com> wrote:
On 27 Feb 2001, at 9:15, Casey Duncan wrote:
OK, how about if you call AUTHENTICATED_USER.has_permission() on each NavBar method to see if the user has rights to call it?
That does not work either. When I get the object to pass to has_permission, authentication kicks in.
Here's what I'm doing
/ Z (folder) ShowNavBar Method
Admin (folder) (No rights to this folder) ShowNavBar Method
I need to know if the authenticated user (who may be anonymous) has rights to view Admin and/or Admin.ShowNavBar
I'm using something like that in my folderish product: checkPermission=getSecurityManager().checkPermission for obj in self.objectValues(spec): if checkPermission('View',obj): HTH Tino Wildenhain
On Wed, 28 Feb 2001 03:15, you wrote:
Brad Clements wrote:
Did you try setting a proxy role on the ShowNavBar method that can execute this?
No.. I don't want it to show if the logged in user doesn't have rights to it.
I want a way to see, in DTML (or an external method), if the current user has rights to an object.. if they have rights, does the object exist.
If they don't have rights, it's okay to raise an exception (AttributeError) which I can catch. But I don't want the SecurityManager to try to authenticate our access to it..
Brad Clements, bkc@murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements
OK, how about if you call AUTHENTICATED_USER.has_permission() on each NavBar method to see if the user has rights to call it?
I know I'm jumping in part way through a threat... but if you're using a <dtml-in> to iterate over the side-bar items, have you considered using the skip_unauthorized attribute? If this is in Python, otoh, the ZQR says of AUTHENTICATED_USER.has_permission: has_permission(permission, object) Check to see if a user has a given permission on an object. Hope this helps. Have a better one, Curtis Maloney.
participants (4)
-
Brad Clements -
Casey Duncan -
Curtis Maloney -
Tino Wildenhain