[Grok-dev] Re: Grokwiki Security in Eggified Grok
Martijn Faassen
faassen at startifact.com
Sat Aug 18 13:22:49 EDT 2007
Uli Fouquet wrote:
> Hi Steve,
>
> Am Freitag, den 17.08.2007, 22:00 -0700 schrieb Steve Schmechel:
>> It used to be that editing securitypolicy.zcml and principals.zcml in
>> parts/instance/etc and adding "grok.define_permission" and
>> "grok.require" statements to the code, allowed one to require
>> authentication with proper permissions in order to edit pages.
>>
>> Using current trunk code, it appears that the security directives go
>> into the buildout.cfg and are then copied into
>> parts/grokwiki/site.zcml. However, tese settings seem to have little
>> effect. (Even changing just the manager password that is built by
>> default.)
>>
>> Instead of the app causing the browser to display a login/password
>> dialog when trying to edit, the browser is redirected to the admin
>> page, where a form-based login and password only responds to the
>> original grok/grok authentication.
>>
>> Am I missing something simple? Has something changed due to the new
>> (much nicer) admin page?
>
> Yes, something changed. The admin-UI installs a different Pluggable
> User-Authentication (PAU) on setup. Unfortunately no 'native' editing of
> the users and their passwords is currently possible.
By 'native' I assume you mean editing of this information from within
the grok admin UI, right? I think it's a very high priority to enable
this, as we don't want to rely on the obscure and ugly ZMI in any way.
We also need to consider the interaction between Grok's authentication
story and the authentication story of any grok-based application. I
assume that someone can just install their own authentication plugin in
their application's site and that authentication will then work for
users defined there. What about the users defined high-up by grok
though? What can they do?
Regards,
Martijn
More information about the Grok-dev
mailing list