-----Original Message----- From: Guy Davis [mailto:davis@arc.ab.ca]
I am trying to disallow anonymous access for all but a handful of domains. This is easy to do with Apache, but how can it be done with Zope?
The only thing I could think of was to have the following in the standard_html_header.
<dtml-if "AUTHENTICATED_USER == 'Anonymous User'" > {if remote address is acceptable} {show the true page} {else show an error message} <dtml-else> {show the true page} </dtml-if>
However the above expression never evaluates to true even when <dtml-var AUTHENTICATED_USER> shows 'Anonymous User' on the same page. If I try to use string.find(), Zope complains that AUTHENTICATED_USER is a bad arguement.
Is there someway to salvage what I'm doing, or better yet is there a simpler mechanism to achieve this goal? Thanks.
Yes. You can make a new Role, let's call it DomainUser. You give this Role all privileges that the Anonymous Role has, and you revoke all rights from the Anonymous Role. Now you create a new user, and call this AnonymousDomainUser. This user you give _no_ password, just leave the password fields blank. You do specify the domains however; it is a space separated list of domain specs, where each domain spec can be either a domain name, or an IP address, where wildcards can be used anywhere between the dots. For example: *.zope.org *.digicool.com 192.8.*.* is a valid domain spec. And you also give the user the DomainUser Role. Now, as soon as a visitor comes to your site from a domain that matches the domain spec, Zope will, without asking for a password, match him against the AnonymousDomainUser User, give him the DomainUser Role, and grant that visitor access. Anyone from any other domain will be prompted for a username and password. -- Martijn Pieters, Software Engineer | Digital Creations http://www.digicool.com | Creators of Zope http://www.zope.org | mailto:mj@digicool.com ICQ: 4532236 | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 -------------------------------------------
Thanks for this response. I saved it for a while but recently got around to following your suggestions. I set this up so that AnonymousDomainUser is available at the top level folder. Then in /Projects/TestProject, I have a whole set of other users as there is no anonymous access to TestProject. When some from the right domain brings up the root folder, they match to AnonymousDomainUser but when they try to bring up TestProject, their username and password are consistently rejected. If I then go back to the security panel of the root folder and give the Anonymous role just the capability to view, they can then login properly and access TestProject, but then I have lost the domain filtering on anonymous viewers. Is there some way to have both anonymous domain-restricted access and also certain directories with only authorized-user access? Thanks. Martijn Pieters wrote:
Yes. You can make a new Role, let's call it DomainUser. You give this Role all privileges that the Anonymous Role has, and you revoke all rights from the Anonymous Role.
Now you create a new user, and call this AnonymousDomainUser. This user you give _no_ password, just leave the password fields blank. You do specify the domains however; it is a space separated list of domain specs, where each domain spec can be either a domain name, or an IP address, where wildcards can be used anywhere between the dots. For example: *.zope.org *.digicool.com 192.8.*.* is a valid domain spec. And you also give the user the DomainUser Role.
Now, as soon as a visitor comes to your site from a domain that matches the domain spec, Zope will, without asking for a password, match him against the AnonymousDomainUser User, give him the DomainUser Role, and grant that visitor access.
Anyone from any other domain will be prompted for a username and password.
-- Martijn Pieters, Software Engineer | Digital Creations http://www.digicool.com | Creators of Zope http://www.zope.org | mailto:mj@digicool.com ICQ: 4532236 | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149 -------------------------------------------
-- Guy Davis mailto:davis@arc.ab.ca (403) 210-5334 Alberta Research Council
participants (2)
-
Guy Davis -
Martijn Pieters