[Zope] check permission problem

John Hunter jdhunter@ace.bsd.uchicago.edu
Fri, 06 Sep 2002 11:40:59 -0500 

>>>>> "Clemens" == Clemens Klein-Robbenhaar <robbenhaar@espresto.com> writes:

    Clemens> John Hunter writes: [...]
    >>  What happens instead is that the anonymous user gets asked for
    >> a password when visiting the site home index_html, which
    >> includes the standard_html_header.  It appears that zope is
    >> trying to access the contents of login_py in the call to
    >> 
    >> <dtml-if "_.SecurityCheckPermission('View', login_py)">
    >> 
    >> rather than simply check the permission, which surprises me.

    Clemens>  Well, the anonymous visitor _is_ accessing "login_py"
    Clemens> actually.  (Zope does not check permissions on function
    Clemens> call, but on attribute access.)

    Clemens>  Thus Your idea does not work that way.  Instead You
    Clemens> could check directly, if the user is anonymous, by
    Clemens> inspecting "_.SecurityGetUser().getUserName=='Anonymous
    Clemens> User'" or the like (sorry, if forgot the proper
    Clemens> incantation ...)

Thanks -- you just forgot the () on getUserName.

But I am still encountering some strangeness.

I am now doing 

      <dtml-if "_.SecurityGetUser().getUserName()=='Anonymous User'">

in standard_html_header and using the login_py with view set to manage
permissions as before.  I also calling 

      <dtml-var "_.SecurityGetUser().getUserName()">

just for debug purposes.

When I visit the main page from a newly loaded browser, it loads with
a Members Login button as expected and user name reported as
'Anonymous User'.  When I click on the submit button, I get the
password box as expected, and enter in a user/passwd with manager
permissions.  Then I get redirected back to the referer as expected,
but the user name is still reported by the dtml-var call as 'Anonymous
User'.  Refresh doesn't help.

Now things get funny.  If I then goto the manage screen with 

http://nitace.bsd.uchicago.edu:8080/template/manage

I can access it because the authentication for 'user' was stored by
the browser.  If from the manage interface I click 'View', the user is
now reported as 'user' and I get the user menu instead of the login
button.

If I then try to access the page directly again with 

http://nitace.bsd.uchicago.edu:8080/template

I am back to being an anonymous user.


Please feel free to take a look.  The user is 'user' and the password
is 'user1234'.

Thanks,
John Hunter