[Zope] question about user authentication

Jason Jones jason_j@countermedia.org
Tue, 3 Aug 1999 15:32:12 -0500


This is a multi-part message in MIME format.

------=_NextPart_000_0039_01BEDDC5.5B9D64D0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I'm new to Zope and having some trouble understanding the user =
authentication procedures.=20

I've defined several user roles to suit my needs (author, moderator, =
maintainer, partner, etc,...) and want to be able to provide access to =
objects based on whether a user has priviledges dictated by those roles, =
for the specific object. My problem is that I don't want Zope to handle =
the authentication, rather I would like to provide a login form for =
users.

Normally I would keep user data in and RDBMS, let the user log in, I'd =
grab their permissions, issue a session_id either as a cookie or part of =
the URL, and enter the session_id/permissions into a hashtable or some =
other storage so that I could check it when I needed to, and delete it =
when the session lapses or the user logs out.

Do I need to do essentially the same thing in Zope, or is there some way =
that I can authenticate a user from a DTML login method and have that =
authentication persist (and be queryable) throughout the user's session =
until they log off?

It's my understanding that with HTTP authentication, Zope will =
essentially manage the session persistence so that later on I could use =
the AUTHENTICATED_USER object to find out who I'm dealing with and act =
accordingly, but is their a way to do the authentication from DTML? I =
can't seem to locate such method calls in the documentation, and I don't =
know how Zope stores session information.

Of course, I could be looking at this the wrong way. Is Zope's security =
setup even intended to provide ways of managing a user's session and the =
content they can view and manipulate, or is it mainly intended for =
managing access by people who will be dealing with Zope itself (this is =
what all of the documentation examples tend toward)?

Any help will be greatly appreciated....

Thanks,

Jason Jones
jason_j@countermedia.org

------=_NextPart_000_0039_01BEDDC5.5B9D64D0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I'm new to Zope and having some trouble =

understanding the user authentication procedures. </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I've defined several user roles to suit =
my needs=20
(author, moderator, maintainer, partner, etc,...) and want to be able to =
provide=20
access to objects based on whether a user has priviledges dictated by =
those=20
roles, for the specific object. My problem is that I don't want Zope to =
handle=20
the authentication, rather I would like to provide a login form for=20
users.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Normally I would keep user data in and =
RDBMS, let=20
the user log in, I'd&nbsp;grab their permissions, issue a session_id =
either as a=20
cookie or part of the URL, and enter the session_id/permissions into a =
hashtable=20
or some other storage so that I could check it when I needed to, and =
delete it=20
when the session lapses or the user logs out.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Do I need to do essentially the same =
thing in Zope,=20
or is there some way that I can authenticate a user from a DTML login =
method and=20
have that authentication persist (and be queryable) throughout the =
user's=20
session until they log off?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>It's my understanding that with HTTP=20
authentication, Zope will essentially manage the session persistence so =
that=20
later on I could use the AUTHENTICATED_USER object to find out who I'm =
dealing=20
with and act accordingly, but is their a way to do the authentication =
from DTML?=20
I can't seem to locate&nbsp;such method calls in the documentation, and =
I don't=20
know how Zope stores session information.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Of course, I could be looking at this =
the wrong=20
way. Is Zope's security setup even intended to provide ways of managing =
a user's=20
session and the content they can view and manipulate, or is it mainly =
intended=20
for managing access by people who will be dealing with Zope itself (this =
is what=20
all of the documentation examples tend toward)?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Any help will be greatly=20
appreciated....</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Thanks,</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Jason Jones</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"mailto:jason_j@countermedia.org">jason_j@countermedia.org</A></FO=
NT></DIV></BODY></HTML>

------=_NextPart_000_0039_01BEDDC5.5B9D64D0--