half programmatically authenticated from product
I'm having difficulties 'artificially' logging in a user from filesystem python code. I'm trying to setup a queuing system for converting files that users upload. The uploads are pickled to the filesystem and I then use Xron to fire the conversions at regular intervals. Once the conversion is done, I want it added to the ZODB (along with various default methods), but I also need to check whether the user has permission to add files to the place they tried. I'm trying to perform this check when the scheduled conversion takes place as opposed to when the upload takes place, so I capture the username/password of the uploading user and store it in the pickle. Here's my attempt at logging in programmatically: #Get hold of the original upload folder folder = context.restrictedTraverse(qfile.upload_url) #Authenticate with the same acl_users as te original uploader acl_users = folder.acl_users user = acl_users.authenticate(qfile.user, qfile.passw, request={}) user = user.__of__(acl_users) newSecurityManager(None, user) This works up to a point. The user does seem to be logged in and I can then call a ZODB python script that subsequently calls manage_addFolder (amongst other things). However, when the ZODB python script tries to call a method of a product of mine (which adds one of my default methods to the folder made by the aforementioned manage_addFolder), I get the following in my log (line 126 in _doConversion calls my ZODB python script and addPPTindex_html is the method on my product); 2002-07-23 12:53:51,187 ERROR AsyncZlaveClient failed on Qfile '56148' for user 'tim' (tim@sitefusion.co.uk) Traceback (most recent call last): File "D:\Zlave\zope251\lib\python\Products\ZOffice\AsyncZlaveClient\AsyncZlaveCli ent.py", line 126, in _doConversion extension=qfile.extension) File "D:\Zlave\zope251\lib\python\Shared\DC\Scripts\Bindings.py", line 252, in __call__ return self._bindAndExec(args, kw, None) File "D:\Zlave\zope251\lib\python\Shared\DC\Scripts\Bindings.py", line 283, in _bindAndExec return self._exec(bound_data, args, kw) File "D:\Zlave\zope251\lib\python\Products\PythonScripts\PythonScript.py", line 302, in _exec result = apply(f, args, kw) File "Script (Python)", line 37, in addFolderAndFiles File "D:\Zlave\zope251\lib\python\AccessControl\ZopeGuards.py", line 58, in guarded_getattr return inst.aq_acquire(name, aq_validate, validate) File "D:\Zlave\zope251\lib\python\AccessControl\ZopeGuards.py", line 40, in aq_validate return validate(inst, obj, name, v) File "D:\Zlave\zope251\lib\python\AccessControl\SecurityManager.py", line 83, in validate self._context) File "D:\Zlave\zope251\lib\python\AccessControl\ZopeSecurityPolicy.py", line 200, in validate raise Unauthorized(name, value) Unauthorized: You are not allowed to access addPPTindex_html in this context So, after that long-winded description, my question is... why does the authentication seem to run out when calling a product method when it can call manage_addFolder()? cheers tim
Tim Hicks writes:
I'm having difficulties 'artificially' logging in a user from filesystem python code. Your "acl_users" has a "validate" or "authenticate" method. Call it, to log in your user.
I'm trying to setup a queuing system for converting files that users upload. The uploads are pickled to the filesystem and I then use Xron to fire the conversions at regular intervals. Once the conversion is done, I want it added to the ZODB (along with various default methods), but I also need to check whether the user has permission to add files to the place they tried. I'm trying to perform this check when the scheduled conversion takes place as opposed to when the upload takes place, so I capture the username/password of the uploading user and store it in the pickle. Why do you not do it immediately? It would give the user much better feedback.
Dieter
Thanks for the reply Dieter,
Tim Hicks writes:
I'm having difficulties 'artificially' logging in a user from filesystem python code. Your "acl_users" has a "validate" or "authenticate" method. Call it, to log in your user.
I'm calling "authenticate" already. Here's the code I'm using again; <begin> #Get hold of the original upload folder folder = context.restrictedTraverse(qfile.upload_url) #Authenticate with the same acl_users as the original uploader acl_users = folder.acl_users user = acl_users.authenticate(qfile.user, qfile.passw, request={}) user = user.__of__(acl_users) newSecurityManager(None, user) <end> I just looked at the "validate" method of the BasicUserFolder class in AccessControl.User, and I don't really understand how I would use it in my case. It's arguments are 'request, auth, roles', whereas I have a username and password that I'd like to use to authenticate with. What am I missing? Just to be clear, the authentication appears to work, but only for the first level of protected code, second level protected code (i.e. that called from first level) seems to fail, although I can call manage_addFolder()... wierd. As an aside: I added in the """user = user.__of__(acl_users)""" because I was getting AttributeErrors (I think) on 'aq_inner' from my user object. I presumed I needed to wrap the user object to get it to work properly.
I'm trying to setup a queuing system for converting files that users upload. The uploads are pickled to the filesystem and I then use Xron to fire the conversions at regular intervals. Once the conversion is done, I want it added to the ZODB (along with various default methods), but I also need to check whether the user has permission to add files to the place they tried. I'm trying to perform this check when the scheduled conversion takes place as opposed to when the upload takes place, so I capture the username/password of the uploading user and store it in the pickle. Why do you not do it immediately? It would give the user much better feedback.
I started off not doing it automatically because the queue mechanism was separate from the upload. I agree, raising an error on the upload would be good feedback. But given that the queue time is potentially quite long, I figure the user permissions and/or the action on the queued file may be changed in that time (it is web-configurable). To me, the system seems to have better integrity if checks are done at the time of commitment to the ZODB. As for user feedback, they are informed via email of developments. cheers tim
Tim Hicks writes:
... acl_users = folder.acl_users user = acl_users.authenticate(qfile.user, qfile.passw, request={}) user = user.__of__(acl_users) newSecurityManager(None, user) ... Just to be clear, the authentication appears to work, but only for the first level of protected code, second level protected code (i.e. that called from first level) seems to fail, although I can call manage_addFolder()... wierd. I do not see why. Does it use "REQUEST.AUTHENTICATED_USER"? This is not changed by "newSecurityManager".
Dieter
On Wed, Jul 24, 2002 at 12:30:22AM +0100, Tim Hicks wrote:
Tim Hicks writes:
I'm having difficulties 'artificially' logging in a user from filesystem python code.
I don't know if this is of any help, but you could look at ZShell's sources, and its run_su() method, which simulates a UNIX' su command. ZShell is available from http://www.librelogiciel.com/software/ hth. bye, Jérome Alet
participants (3)
-
Dieter Maurer -
Jerome Alet -
Tim Hicks