[ZPatterns] authorisation problem

Joachim Schmitz [email protected]
Fri, 2 Nov 2001 12:55:52 +0100 (CET) 

Hi,

I am still struggeling with the authorisation problem. I trying to implement
a Sessionbased LoginMethod. Which maintains its authorisation info in the
Session (CoreSessionTracking).  So I added a SessionLoginMethod in LoginMethods.

This works so far, when I use the loginForm directly. So one can log in, and
as long as the session_id is contained in the request or url, the
authorisation-info is correct.

I think that the problem, I run into is only partly related to the new
LoginMethod, the site structure is like this:

root
  mySitefolder
    acl_users
      forbiddenForm
      loginForm
      logoutForm
    index_htlm
      contains: (simplyfied)
      <dtml-var standard_html_header>
      <dtml-var content>
      <dtml-var standard_html_footer>
    folder1
      content

I set the permission in folder1 to Authenticated only

when I now login by going to acl_users/loginForm directly, I can access the
url mySitefolder/folder1

when I access mySitefolder/folder1/content directly as Anonymous, the
loginForm pops up and I can login.

but when I access mySitefolder/folder1 as Anonymous, the normal root
authentication box pops up, when I click cancel the debug-info,- thanks to
ZDebug - tells me that mySitefolder/index_html is not allowed to access
content.

I surrounded <dtml-var content> with:
<dtml-try>
<dtml-var content>
<dtml-execpt>
<dtml-var REQUEST>
</dtml-try>

Now the page displays. I didn't change anything in the
LoginManager.validate-method, and my SessionUserLogin class findLogin-method
looks like this.

    def findLogin(self, manager, request, auth, user=None, roles=None):
        if user:
            return user
        sdm = None
        for parent in request.PARENTS:
            if hasattr(parent,self.SessionManager):
                sdm =  getattr(parent,self.SessionManager)
                break
        request.set('SM',self.SessionManager)
        request.set('user',"Sessionstart " + str(auth)
        + str(parent.id)+str(roles)+str(user))
        if not sdm:
            request.set('LoginMethod', "not Session")
            return None
        sdata = sdm.getSessionData(create=0)
        request.set("sdata",sdata)
        if sdata:
            name = sdata.get(self.UserField)
            user = manager.getItem(name)
            self._loggedIn(request)
            request.set('user',"Session " + str(name) + str(roles))

        if user is None and request.has_key('__ac_name'):
            get     = request.get
            name     = get("__ac_name")
            password = get("__ac_password")
            request.set('user',"Passw " + str(name) + str(roles))
            if name is None or password is None:
                return None
            user = manager.getItem(name)
            if user is not None and user.authenticate(password,request):
                self._loggedIn(request)
                request.set('LoginMethod', "Session")
                self._loggedIn(request)
                return user
            else:
                request.set('LoginMethod', "Session failed")
                sdata = sdm.getSessionData()
                sdata.invalidate()
                return None
        return user

the debug REQUEST-varialbles contain, tell me that it only got called for
the index_html. Any hint how to debug this further is very welcome.



Mit freundlichen Grüßen

Joachim Schmitz

AixtraWare, Ing. Büro für Internetanwendungen
Hüsgenstr. 33a, D-52457 Aldenhoven
Telefon: +49-2464-8851, FAX: +49-2464-905163