Logging in a user programatically...
At the risk of asking too many questions... First of all, I should mention that a vast majority of the novice as well as intermediate questions in this group seem to be targeted at User/Role/Permission/Login related problems. Maybe someday, we'll get better documentation/examples on these types of issues. Now for the question: I've got a form that allows a new user to create a login for themselves in the acl_users folder. I want to be able to immediately log them into the system when their account is created (possibly in the same script). I've searched everywhere for examples of this in Python or DTML and can't find what I'm looking for. If someone could help with an example and possibly some suggestions on whether this is even a good idea, I would appreciate it. Thanks to all the Zopistas for fielding all the questions... Hopefully I can do the same someday :) -Rob
* Rob Foster <rob@thefosters.com> [011104 00:22]:
I've got a form that allows a new user to create a login for themselves in the acl_users folder. I want to be able to immediately log them into the system when their account is created (possibly in the same script).
Yes, I used to ask this question a lot and never got an answer. I gave up and then worked it out about 18 months later :-) Here's how you can do it from a python Product: from AccessControl.SecurityManagement import newSecurityManager ... newSecurityManager(None, user) (where 'user' is the new user object you just created). You couldn't do this in a pythonscript or dtml without creating a fairly massive security hole, though. You'd be able to do it with an external method, but you'd want to make sure only the person who's creating the account can call it. seb
from AccessControl.SecurityManagement import newSecurityManager ... newSecurityManager(None, user)
(where 'user' is the new user object you just created).
You couldn't do this in a pythonscript or dtml without creating a fairly massive security hole, though. You'd be able to do it with an external method, but you'd want to make sure only the person who's creating the account can call it.
Sorry for asking, but what exactly does this do? Without either having a cookie or the BASIC AUTHENTICATION info from a user, how could Zope log somebody in and make sure that it is just that person (and his browser session) that gets access? Cheers Joachim
* Joachim Werner <joe@iuveno-net.de> [011104 22:51]:
from AccessControl.SecurityManagement import newSecurityManager ... newSecurityManager(None, user)
(where 'user' is the new user object you just created).
Sorry for asking, but what exactly does this do? Without either having a cookie or the BASIC AUTHENTICATION info from a user, how could Zope log somebody in and make sure that it is just that person (and his browser session) that gets access?
Good point, that was only half the story. By creating a new security manager using a specific user, you're only 'logging them in' for the duration of the request. So I didn't really answer the question as posed. To do that, I'd use something like the CookieCrumbler from the CMF (works standalone too, though) and set the relevant cookies (__ac_user and __ac_password). seb
participants (3)
-
Joachim Werner -
Rob Foster -
seb bacon