[Grok-dev] Re: Grokwiki Security in Eggified Grok

[Martijn Faassen]

Uli Fouquet wrote:
> Hi Steve,
> 
> Am Freitag, den 17.08.2007, 22:00 -0700 schrieb Steve Schmechel:
>> It used to be that editing securitypolicy.zcml and principals.zcml in
>> parts/instance/etc and adding "grok.define_permission" and
>> "grok.require" statements to the code, allowed one to require
>> authentication with proper permissions in order to edit pages.
>>
>> Using current trunk code, it appears that the security directives go
>> into the buildout.cfg and are then copied into
>> parts/grokwiki/site.zcml.  However, tese settings seem to have little
>> effect.  (Even changing just the manager password that is built by
>> default.)
>>
>> Instead of the app causing the browser to display a login/password
>> dialog when trying to edit, the browser is redirected to the admin
>> page, where a form-based login and password only responds to the
>> original grok/grok authentication.
>>
>> Am I missing something simple?  Has something changed due to the new
>> (much nicer) admin page?
> 
> Yes, something changed. The admin-UI installs a different Pluggable
> User-Authentication (PAU) on setup. Unfortunately no 'native' editing of
> the users and their passwords is currently possible.

By 'native' I assume you mean editing of this information from within 
the grok admin UI, right? I think it's a very high priority to enable 
this, as we don't want to rely on the obscure and ugly ZMI in any way.

We also need to consider the interaction between Grok's authentication 
story and the authentication story of any grok-based application. I 
assume that someone can just install their own authentication plugin in 
their application's site and that authentication will then work for 
users defined there. What about the users defined high-up by grok 
though? What can they do?

Regards,

Martijn