Hi Becky, In the file "lib/python/AccessControl/User.py", change the line (~ 508) which reads "_domain_auth_mode=0" to "_domain_auth_mode=1", and restart Zope. This particular functionality was turned off in Zope 2.3.0 because it implies a very expensive call on each request that's useful to only a few folks (obviously you're one of them! ;-) I'm not sure why Randy Kern's suggestion didn't work for you (because it looks reasonable), but this is the surefire way to enable it. (ps - how are you using Zope at Xerox PARC? Neat!) ----- Original Message ----- From: <burwell@parc.xerox.com> To: <zope@zope.org> Sent: Tuesday, February 06, 2001 1:35 PM Subject: [Zope] Going from Zope 2.1.6 to 2.3.0: security issue

We are in the process of moving from Zope 2.1.6 to Zope 2.3.0

We had some web pages that we wanted to restrict to people just at our research lab.

We did this by creating a role called "localUsers". And then we added a user with a domain of *.parc.xerox.com that had the role of localUsers. This allowed anyone whose web browser was on a machine in *.parc.xerox.com to access the pages. This worked great in 2.1.6.

When we brought up Zope 2.3.0 we find that we get prompted for an id and password when accessing web page that have our role localUsers applied to them. We can tell the user what to type, but it is annoying.

What's the best way to restrict a set of pages to a particular domain without having to require the user to login?

Thanks.

_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )