[Zope] Going from Zope 2.1.6 to 2.3.0: security issue

[Chris McDonough]

Hi Becky,

In the file "lib/python/AccessControl/User.py", change the line (~ 508)
which reads "_domain_auth_mode=0" to "_domain_auth_mode=1", and restart
Zope.

This particular functionality was turned off in Zope 2.3.0 because it
implies a very expensive call on each request that's useful to only a few
folks (obviously you're one of them! ;-)

I'm not sure why Randy Kern's suggestion didn't work for you (because it
looks reasonable), but this is the surefire way to enable it.

(ps - how are you using Zope at Xerox PARC?  Neat!)

----- Original Message -----
From: <burwell@parc.xerox.com>
To: <zope@zope.org>
Sent: Tuesday, February 06, 2001 1:35 PM
Subject: [Zope] Going from Zope 2.1.6 to 2.3.0: security issue


> We are in the process of moving from Zope 2.1.6 to Zope 2.3.0
>
> We had some web pages that we wanted to restrict to people just at
> our research lab.
>
> We did this by creating a role called "localUsers". And then we added
> a user with a domain of *.parc.xerox.com that had the role of
> localUsers. This allowed anyone whose web browser was on a machine in
> *.parc.xerox.com to access the pages. This worked great in 2.1.6.
>
> When we brought up Zope 2.3.0 we find that we get prompted for an id
> and password when accessing web page that have our role localUsers
> applied to them. We can tell the user what to type, but it is
> annoying.
>
> What's the best way to restrict a set of pages to a particular domain
> without having to require the user to login?
>
> Thanks.
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>