From: Andrew Altepeter <aaltepet@be...> - 2003-03-05 18:50:03
I just wanted to thank you for putting together such a wonderful
product! I have used it as the basis for my own cookie based
authentication user folder, and it's working wonderfully.
I just have a question about the method you are using see if the user
allowed to access a requested resource using cookie based
authentication. In the code, there is the following:
if user.allowed(parent, roles):
self.setUserCookie(name, password, request, resp)
But, in AccessControl.User.validate it does this:
v = request['PUBLISHED'] # the published object
a, c, n, v = self._getobcontext(v, request)
if self.authorize(user, a, c, n, v, roles):
It seems to be that in the exUserFolder code, access to the parent of
the requested object is checked, not the requested object itself. In
User.validate, access to the requested object is checked.
Is there a difference between the two?
Also, I ran into problems when creating my own userfolder for cookie
based authentication (ahem, an html login page, and not using BASIC
auth). If a user has access to a certain object, but that object
accesses other objects to which the use has no permissions to (e.g.
view), then a BASIC auth request will be returned because
userfolder.validate is only called for initial authorization.
To get this fixed, I had to override the HTTPRequest.(_?)unauthorized
functions. Is this an oversite in the exUserFolder code, or am I
Get latest updates about Open Source Projects, Conferences and News.