[Zope] newbie question

Terry Kerr terry@adroit.net
Mon, 11 Oct 1999 10:56:14 +1000


This seems to all makes sense now...except I am still having problems. 
I have the security set for a directory such that no anon permissions
are set, and 'view' is not set to aquire permissions....however, anybody
can still view the page.  Why is this so?  I have jumped on another box,
and the page loads up without prompting for any authentication!  I was
expecting it to only authenticate the owner or manager of the directory.

terry

Martijn Pieters wrote:
> 
> At 01:56 9-10-99 , Dyon Balding wrote:
> > > It isn't that easy actually - it's a bit of a fiddle.
> > >
> > > 1) in the acl_users folder *above* where you want to deny access to,
> > > create a user 'AnonUser' with no password and domain = '*.*.*.*'
> > > 2) in the acl_users folder where you want access denied to, create a
> > > user 'AllowedUser' with no password and domain '*.your.domain'
> > > 3) In the standard_html_header in the second folder add some dtml code
> > >
> > > <dtml-if "_.str(REQUEST['AUTHENTICATED_USER'])=='AnonUser'">
> > > <dtml-call "RESPONSE.redirect('denied')">
> > > </dtml-if>
> > > <html>
> > > etc etc
> > >
> > > and create a DTML method called 'denied' that explains to the person
> > > what's going on. *Don't* use standard_html_header in the 'denied'
> > > method as you'll get infinite recursion.
> > >
> > > This is a bit of a faff  - I may well look at Apache rewrite rules to
> > > restrict access to a site as a whole.
> > >
> >
> >that's pretty damn convoluted, our site, which i feel would be well
> >suited to zope development requires quite a bit of authentication.  we
> >are a university department, and currently use an apache ldap module to
> >authenticate.  we have sections of the site that need to be limited to
> >the department only, and other sections that need to be limited by other
> >groups.
> >
> >zope's authentication for management seems good, but there must be an
> >easier way to limit user access.
> >
> >any pointers?
> 
> I think Tony mixed up a tip from me on how to _exclude_ access from a
> certain domain. Zope's access control is very powerful and very simple, but
> if you want to exclude one domain from access you have to twist and wriggle
> a bit. Tony wriggled a bit further in that direction to get 'normal' access
> control.
> 
> Normally, you'd define a new Role (like 'Visitor'), that you give the
> permissions that the Anoonymous role normally has, and revoke all Anonymous
> permissions. Then you can assign that role to anyone you want to have
> access. See the Z Content Managers Guide on Zope.org
> 
> --
> Martijn Pieters, Web Developer
> | Antraciet http://www.antraciet.nl
> | T: +31 35 7502100 F: +31 35 7502111
> | mj@antraciet.nl http://www.antraciet.nl/~mj
> | PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
> ---------------------------------------------
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://www.zope.org/mailman/listinfo/zope
> 
> (Related lists - please, no cross posts or HTML encoding!
> 
> To receive general Zope announcements, see:
> http://www.zope.org/mailman/listinfo/zope-announce
> 
> For developer-specific issues, zope-dev@zope.org -
> http://www.zope.org/mailman/listinfo/zope-dev )