[Zope] Basic public manage access questions
Martijn Pieters
mj@antraciet.nl
Thu, 14 Oct 1999 15:46:20 +0200
At 15:11 14/10/99 , Jason Cunliffe wrote:
>Hello
>
>Like most here I am very impressed with Zope - concept, community, scope,
>potential etc. and am specifying Zope for an upcoming maritime transport
>e-commerce project. Users & End-users (are there really ever such a group?)
>may be using our 'smart-map' web site from kjhkh-knows-what machine,
>fdsf-knows-where.
>
>I am concerned about how to prevent access to management screens when
>someone does not fully quit the web browser after a management session.
>Either I have missed something so basic about zope permissions, or it has
>missed my application.context.
>
>It seems that if I log-on as zope site manager/developer/contentprovider,
>and do some priviledged site work, but then walk away from the browser [
>even though I have left it on another URL entirely], then the next person
>can step up to the machine, click 'back', use 'history', or type in
>www.mysite.com:8080/somefolder/manage - and bingo slide back into my shoes
>with those powers!
>
>...oops! ouch.. Tell me I am wrong please. If this is true what does anyone
>recommend?
>
>Yes, I can give people beautifully written instructions: DO NOT do
>'thisXYZABC'- please_Youvebeenwarned' .. but real-world conditions with
>people I may never meet, who don't speak English very well, or are using a
>Kiosk terminal etc are another matter.
>[not to mention speaking simple webese- or intermediate zope/python not too
>well]
>
>Is there some nice code {Javascipt/Zope} you can think of to check the fact
>once the browser focus has moved onto another page or something, then I am
>obliged to re-enter user:password information?
>
>Ditto what can I do when a user of the browser has selected the 'remember
>password' item?
>Is there a clean way to zope around this?
You could switch to cookie based authentication. UserDB, a User Folder that
authenticates against a backend RDBMS, supports cookies, and so does the
User Folder that is used at zope.org. Cookies you can expire, and that
browser with the 'remember password' can be told to forget about a certain
HTML password input box (which it normally could aslo remember for you).
--
Martijn Pieters, Web Developer
| Antraciet http://www.antraciet.nl
| Tel: +31-35-7502100 Fax: +31-35-7502111
| mailto:mj@antraciet.nl http://www.antraciet.nl/~mj
| PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
------------------------------------------