[Zope] UserDb/Authentication Questions

Jeffrey Shell Jeffrey@digicool.com
Thu, 8 Apr 1999 17:12:13 -0400


[SNIP!]
> To facilitate this, I'd 
> like to put a
> button on my main screen that says "Login" when the user is not
> authenticated, and "Logout" when they are. I can make a link to
> /company/acl_users/docLogin and /company/acl_users/docLogout 
> respectively,
> but I figure there's a better, more Zopish way to do this. 
> Any ideas? I've
> got the button part figured out (ie. I can easily change what 
> is shown on
> the page based on whether they are logged in or not), I just 
> can't figure
> out where to send them when they click it.

*sigh* don't you love Outlook formatting?

Anyways, I can't answer your other questions right offhand, but you can
make a "logout" page very easily that doesn't even need to call the
docLogout in the UserDB.  Basically, you have to delete the cookie
(which the default docLogout might not be doing in the current release).
Using the following code effectively logs a user out when using cookie
authentication.

<!--#call "REQUEST['RESPONSE'].expireCookie('__ac', path='/')"-->

Making an arbitrary "login" document is a little bit trickier.  To
ensure that the proper authentication is raised, make your own
"docLogin" document that is protected (ie, Anonymous can't view it).
This will raise the docLogin document in UserDB when the user clicks on
it.  You might want to do something like tracking the HTTP_REFERRER
(REFERER?) header to return the user to the page they were on when they
clicked the "login" link.

You can even make your own form that mimics the docLogin form (submits
the same parameters) whose action is a protected document.  I've used
this in a project where an unknown user needs to register, and part of
that registration is a username and password.  After they registered,
they could enter the "members" area of the site and start working
immediately, but I (a) wanted to keep that member area protected, and
(b) didn't want to say to the user "Congratulations, now try out that
new username and password by entering them again now!".  Solution?  I
copied the <INPUT> tags from the UserDB docLogin form and changed their
HTML type to "hidden" and set their value to the new username and
password I had just acquired from the registration process, and set the
target to the Member folder which required a Member role to View.  It
worked beautifully and gave me that resounding feeling of "mmm , Zope
just kicks ass"

(feelings of Zope kicking ass are of my personal opinion and does not
necessarily reflect the views of Digital Creations.  ;)

.jPS