Post authentication hook and anonymous users
Hi Zope people, I have been using Dieter Maurer's Post authentication hook quite successfully to restrict access to a folder for a group of users. Now, my problem is that Post authentication hook is only called... for authenticated users (as its name implies). That's a problem for me, because anonymous users that can guess a URL could access private areas that I have set up. (BTW, I am aware that I could restrict the access by changing the "View" permission in the "Security" tab and remove "Acquired", but that's not good enough: it then shows all documents to authorized users, regardless of their worflow state). Anyway, I am thinking of adding an unvalidated_hook call in ZPublisher/BaseRequest.py, something like: if user is not None: if validated_hook is not None: validated_hook(self, user) request['AUTHENTICATED_USER']=user request['AUTHENTICATION_PATH']='/'.join(steps[:-i]) else: unvalidated_hook(request) And then in unvalidated_hook, I would dynamically check if anonymous users can access the current folder. Am I on the right tracks or is there a built-in functionality in Zope to accomplish what I am trying to do?? Advice and pointers are welcome. Cheers Cyrille
Cyrille Bonnet wrote at 2005-3-3 11:29 +1300:
... Anyway, I am thinking of adding an unvalidated_hook call in ZPublisher/BaseRequest.py, something like:
if user is not None: if validated_hook is not None: validated_hook(self, user) request['AUTHENTICATED_USER']=user request['AUTHENTICATION_PATH']='/'.join(steps[:-i]) else: unvalidated_hook(request)
You should always have a "user" (i.e. "user" should not be "None"). If the user is not authenticated, you should get the "Anonymous user". The "user is None" case should only occur when the root does not contain an "acl_users" (but then your Zope site is insane). -- Dieter
Hi Dieter, thanks for your sanity check! Before I was checking for role "Anonymous", which exists in Python scripts, but apparently not in post_authentication_hook... After reading your posting, I've tried to test if username=="Anonymous user" and it works! Thanks for your help. I've finished that how-to on plone.org and will post its URL once it is approved. Cheers Cyrille Dieter Maurer wrote:
Cyrille Bonnet wrote at 2005-3-3 11:29 +1300:
... Anyway, I am thinking of adding an unvalidated_hook call in ZPublisher/BaseRequest.py, something like:
if user is not None: if validated_hook is not None: validated_hook(self, user) request['AUTHENTICATED_USER']=user request['AUTHENTICATION_PATH']='/'.join(steps[:-i]) else: unvalidated_hook(request)
You should always have a "user" (i.e. "user" should not be "None"). If the user is not authenticated, you should get the "Anonymous user".
The "user is None" case should only occur when the root does not contain an "acl_users" (but then your Zope site is insane).
participants (2)
-
Cyrille Bonnet -
Dieter Maurer