[Zope-CMF] Re: [Zope-dev] Re: CookieCrumbler and User-Logging
Florent Guillaume
fg at nuxeo.com
Mon Feb 21 14:55:40 EST 2005
Anyone opposed to including this in stock CMF ?
Florent
Tres Seaver <tseaver at zope.com> wrote:
> -=-=-=-=-=-
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Simon Neidhold wrote:
> | hi,
> |
> | i'am using the cookiecrumbler-product (v1.2) in a zope-2.7.1 instance to
> | get cookie-based login for my users.
> | the approach worked well until now.
> |
> | today i've encountered a problem. users can authorize themselve, but
> | their username isnt send regularly within the authentication-header.
> | therefore all log-entrys in the Z2.log contain the username 'Anonymous
> | User' not the actual authenticated one.
> |
> | i've searched the mailinglist for possible fixes, but the only result is
> | that dirty hack:
> |
> http://mail.zope.org/pipermail/zope-collector-monitor/2003-February/001733.html
>
> |
> | it was posted 2 years ago, so i'am looking forward that someone knows an
> | even better solution?
>
> I am attaching the patch which Casey Duncan worked up to log the
> cookie-based user somewhat more cleanly.
>
> Tres.
> - --
> ===============================================================
> Tres Seaver tseaver at zope.com
> Zope Corporation "Zope Dealers" http://www.zope.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCB6v0GqWXf00rNCgRAipeAKCBWwFdDlV2N0v9jhQDOYLMEv7WiQCghf4x
> VB9jmCCJTJXwPpjorxOXs90=
> =IJ+W
> -----END PGP SIGNATURE-----
>
> -=-=-=-=-=-
>
> diff -I '$Id: cookie_auth_log.patch,v 1.1 2005/01/20 22:33:16 tseaver Exp
> $Revision:' --exclude CVS -c -r CMF-1.4.5/CMFCore/CookieCrumbler.py
> CMF-1.4.5+1/CMFCore/CookieCrumbler.py
> *** CMF-1.4.5/CMFCore/CookieCrumbler.py 2004-04-23 17:11:33.000000000 -0400
> --- CMF-1.4.5+1/CMFCore/CookieCrumbler.py 2004-07-14 15:32:01.000000000 -0400
> ***************
> *** 68,73 ****
> --- 68,75 ----
> 'label':'Auto-login page ID'},
> {'id':'logout_page', 'type': 'string', 'mode':'w',
> 'label':'Logout page ID'},
> + {'id':'log_username', 'type':'boolean', 'mode': 'w',
> + 'label':'Log cookie auth username to access log'}
> )
>
> auth_cookie = '__ac'
> ***************
> *** 76,81 ****
> --- 78,84 ----
> persist_cookie = '__ac_persistent'
> auto_login_page = 'login_form'
> logout_page = 'logged_out'
> + log_username = 1
>
> security.declarePrivate('delRequestVar')
> def delRequestVar(self, req, name):
> ***************
> *** 102,107 ****
> --- 105,127 ----
> security.declarePrivate('defaultExpireAuthCookie')
> def defaultExpireAuthCookie( self, resp, cookie_name ):
> resp.expireCookie( cookie_name, path='/')
> +
> + def _setAuthHeader(self, ac, request, response):
> + """Set the auth headers for both the Zope and Medusa http request
> + objects.
> + """
> + request._auth = 'Basic %s' % ac
> + request._cookie_auth = 1
> + response._auth = 1
> + if self.log_username:
> + # Set the authorization header in the medusa http request
> + # so that the username can be logged to the Z2.log
> + try:
> + medusa_headers = response.stdout._request._header_cache
> + except AttributeError:
> + pass
> + else:
> + medusa_headers['authorization'] = request._auth
>
> security.declarePrivate('modifyRequest')
> def modifyRequest(self, req, resp):
> ***************
> *** 126,134 ****
> name = req[self.name_cookie]
> pw = req[self.pw_cookie]
> ac = encodestring('%s:%s' % (name, pw))
> ! req._auth = 'Basic %s' % ac
> ! req._cookie_auth = 1
> ! resp._auth = 1
> if req.get(self.persist_cookie, 0):
> # Persist the user name (but not the pw or session)
> expires = (DateTime() + 365).toZone('GMT').rfc822()
> --- 146,152 ----
> name = req[self.name_cookie]
> pw = req[self.pw_cookie]
> ac = encodestring('%s:%s' % (name, pw))
> ! self._setAuthHeader(ac, req, resp)
> if req.get(self.persist_cookie, 0):
> # Persist the user name (but not the pw or session)
> expires = (DateTime() + 365).toZone('GMT').rfc822()
> ***************
> *** 146,154 ****
> elif req.has_key(self.auth_cookie):
> # Copy __ac to the auth header.
> ac = unquote(req[self.auth_cookie])
> ! req._auth = 'Basic %s' % ac
> ! req._cookie_auth = 1
> ! resp._auth = 1
> self.delRequestVar(req, self.auth_cookie)
> return ATTEMPT_RESUME
> return ATTEMPT_NONE
> --- 164,170 ----
> elif req.has_key(self.auth_cookie):
> # Copy __ac to the auth header.
> ac = unquote(req[self.auth_cookie])
> ! self._setAuthHeader(ac, req, resp)
> self.delRequestVar(req, self.auth_cookie)
> return ATTEMPT_RESUME
> return ATTEMPT_NONE
>
> -=-=-=-=-=-
>
> _______________________________________________
> Zope-Dev maillist - Zope-Dev at zope.org
> http://mail.zope.org/mailman/listinfo/zope-dev
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope )
>
> -=-=-=-=-=-
--
Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D
+33 1 40 33 71 59 http://nuxeo.com fg at nuxeo.com
More information about the Zope-CMF
mailing list