[Zope] Post authentication hook and anonymous users
Cyrille Bonnet
cyrille at 3months.com
Wed Mar 2 17:29:50 EST 2005
Hi Zope people,
I have been using Dieter Maurer's Post authentication hook quite
successfully to restrict access to a folder for a group of users.
Now, my problem is that Post authentication hook is only called... for
authenticated users (as its name implies).
That's a problem for me, because anonymous users that can guess a URL
could access private areas that I have set up.
(BTW, I am aware that I could restrict the access by changing the "View"
permission in the "Security" tab and remove "Acquired", but that's not
good enough: it then shows all documents to authorized users, regardless
of their worflow state).
Anyway, I am thinking of adding an unvalidated_hook call in
ZPublisher/BaseRequest.py, something like:
if user is not None:
if validated_hook is not None: validated_hook(self, user)
request['AUTHENTICATED_USER']=user
request['AUTHENTICATION_PATH']='/'.join(steps[:-i])
else:
unvalidated_hook(request)
And then in unvalidated_hook, I would dynamically check if anonymous
users can access the current folder.
Am I on the right tracks or is there a built-in functionality in Zope to
accomplish what I am trying to do??
Advice and pointers are welcome.
Cheers
Cyrille
More information about the Zope
mailing list