RE: [Zope] hasRole bug or feature in 2.2.?

13 Jan 2001

      ...
From: Ron Bickers [mailto:rbickers@logicetc.com]
...
If this is true, it explains clearly Zope's behavior.  It's really a
browser
"feature" and not a Zope issue at all.
Yes, that's the problem.

My solution is to use a custom UserFolder, which sets a temporary cookie
when a normal HTTP login is accepted.  This cookie is then used for
further validation.  The class I use is rather complex, providing
persistent login in addition to these features, and randomly re-creating
the cookie so one can't easily spoof a user, but this simple class will
get you going:

class UserFolder(AccessControl.User.BasicUserFolder):
	def validate(self, request, auth='', roles=None):
		user = AccessControl.User.BasicUserFolder.validate(self,
request, auth, roles)
		if user is AccessControl.User.nobody or user is None:
			if request.cookies.has_key('login'):
				user =
self.getUser(request.cookies['login'])
		else:
			request.response.setCookie('login',
user.getUserName(), path='/')

		return user

-Randy

Randall F. Kern

tags

participants (1)