[Zope-CMF] How to make your CMF portal "Members Only"

Joel Burton joel@joelburton.com
Mon, 19 Aug 2002 19:17:15 -0400


On Mon, Aug 19, 2002 at 12:48:36PM +0100, Chris Withers wrote:
> Ausum Studio wrote:
> >I tried that and, as I said, the result is a browser's hung-up (IE and
> >Opera). Fortunately Mozilla did have an error message: "Redirection limit
> >for this URL exceeded. Unable to load the requested page". What apparently
> >happens is that the missing authorization redirects the request to the
> >"login_form" URL instead of the browser's login prompt, but due to any
> >method can't be viewed by anonymous users, it is again redirected to itself
> >thus starting the redirection loop.
> 
> Two options:
> 
> 1. delete the cookie_authentication object so basic auth will be used (the 
> browser's login prompt)
> 
> 2. make login_form anonymously viewable

I have this working for me, but there are a few more steps to #2:

2a) customize login_form and logged_out. Move from the custom skins
folder to the root of the site (else we have to give anon access to
/portal_skins and /portal_skins/custom, which seems like a bad idea)

2b) give login_form and logged_out anon privileges for "access content
information" and "view". the cmf portal should give this perms for
authenticated users only.

2c) edit login_form and take out the metal:use-macro and metal:fill-slot
stuff. (For DTML, this will be std_header and std_footer stuff). Now
it's just a login page, w/o the navigation bars, etc.

2d) edit logged_out and take out the same headers/footers/metal stuff.
Simply make this a paragraph saying you've been logged out. (take out
the portal_membership stuff, etc.)

2e) give anon access to portal_url (for perms access content info and
view), which is needed by login_form.

There you go! When someone tries to get to the portal, they'll be
redirected to the login page, which now has only one dependencies
(portal_url, made safe for anon). When they log out, the logout script
calls the logged_out form, which now has no dependencies.

I can't promise that it's 100% secure, but it works for me.

-- 

Joel BURTON  |  joel@joelburton.com  |  joelburton.com  |  aim: wjoelburton
Independent Knowledge Management Consultant