[Zope] Manual AUTHENTICATED_USER (Re: [Zope] GUF: Generic User Folder) Folder)

[Hung Jung Lu]

--- In zope@egroups.com, chas <panda@s...>  wrote:
>Sorry to bother you but why should it be best done at the product level if 
>all the product does is what can be done
>in one line below ?  I find this manual setting very useful.

For a low-security site, manual setting should still be fine.
Tweaking into the traverse machinery actually is not too
hard, you can look at the BaseRequest.py file and HTTPRequest.py
files. Pay attention particularly to the assignment of the _auth
variable. I have played with switching _auth on the fly and it
worked. :) But of course I won't recommend everyone to modify
their Zope codes just like that.

Evan's argument was: manual setting may not be compatible with
future releases of Zope, so it's better to make things into
a product. Which I agree. But as it turned out, the SiteAcess
product itself actually broke with the new release of Zope. :)
So even with products one still has to be careful with Zope
release changes.

For higher security sites, the manual setting is not good enough,
since people that know the exact location of DTML/ZSQL methods can
still call them up directly. (Same as with images, but images
usually are not a high security concern.)

The thing to do seems to be: whenever there is a HTTPRequest
transaction, tweak the _auth variable in the constructor
of HTTPRequest object (or even earlier in the environmental
variables!) to your generic user. This will make all web
objects secure. I still haven't looked into the "clean" flag
and the "sane_enviroment()" of HTTPRequest.py. Anyway, if I
have time I'll make a product... it's just not high on my
priority of things. :)

regards,

Hung Jung


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com