[Zope] Problem with checking roles an authenticated user has

Randall F. Kern randy@spoke.net
Sat, 7 Apr 2001 10:39:02 -0700


The problem is the way HTTP Auth was designed.

According to the HTTP specification, the browser only needs to send
credentials after having received a 401 (Unauthorized) HTTP response
code from the server, and only for that one request.  The idea is that
HTTP is stateless, so each and every request the browser makes would be
met with a 401 response, and then the browser would send the credentials
in a second request, and finally the server would validate the
credentials and respond with the data.

Now this is rather slow (2 requests for every page), so most browsers
have optimized their implementation by automatically sending credentials
for any URL below a URL the server required authentication for, on the
first request.

What this means is you can sort of work around you problem by having
people log into your site in the root.  A login method in the root of
your site will work for this.

The other solution is to use cookie based authentication.  (I think
there are several products on zope.org that provide this functionality.)

-Randy

> -----Original Message-----
> From: Richard Ettema [mailto:richard.ettema@yoursolutions.co.uk]
> Sent: Saturday, April 07, 2001 5:05 AM
> To: zope@zope.org
> Subject: [Zope] Problem with checking roles an authenticated user has
>=20
>=20
> Hi,
>=20
> I have a site which includes a members area. When a member=20
> logs in, extra
> features are made available on all pages compared to a non-member.
> The problem is that sometimes the authenticated_user test I=20
> use does not
> come back true once someone has logged in. This problem does=20
> not occur all
> the time or with any particular page. It is being very unpredictable!
> This is the dtml-if (placed in the standard_html_header) I=20
> use to check...
>=20
>  <dtml-if "AUTHENTICATED_USER.has_role('a_member') or
> AUTHENTICATED_USER.has_role('Manager')">
>=20
> Any ideas what my problem could be?
>=20
> Thanks for any ideas
>=20
> Richard
>=20
>=20
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -=20
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>=20