[Zope-dev] REQUEST.AUTHENTICATED_USER question

vio vmilitaru@sympatico.ca
Mon, 21 Jan 2002 10:32:33 -0500


The point in a customised login method is precisely to do just that: validate 
user credentials with some custom scheme. If interested, this is trivial to do 
with a valid UserFolder instance around: 
'if my_custon_loginForm_password == Users_folder.getUser(my_custon_loginForm_loginName)._getPassword(): and here SWITCH to the authenticated new user identity'.And Voila! No sweat. But I just don't know nor understand how to do that switch 
yet, 'programmatically'.


* Jens Vagelpohl <jens@zope.com> [020121 09:02]:
> the user gets modified automatically, provided you use common 
> login-methodology and a user folder that supports it.

You must be referring to the routine HTTPResponse.HTTPResponse.unauthorised(), 
called with REQUEST.RESPONSE.unauthorised(). It just happens that I really 
don't like that 'Basic Authentication' dialog, that's why I want to use mine. 
So I've done half of the job to that end, only remaining problem is to switch 
'programmatically' to the new authenticated user id. Doing something like 
'REQUEST['AUTHENTICATED_USER'] = my_custon_loginForm_loginName' seems to have 
no effect, because the user is still 'Anonymous User' (found with 
'AUTHENTICATED_USER.getUserName()'). If only I could understand where REQUEST 
gets its data for its 'AUTHENTICATED_USER' attribute, I could simply change 
that data source, and I'd be done. But I don't still understand how REQUEST
gets all the data to its attributes.

> 
> you don't set the user "manually".

Of course you do ('programmatically' not 'manually'), as proven by all the 
customised 'login' products out there, who are doing just that. 
Only the one I studied so far 
(CookieCrumbler) seems to re-write the REQUEST.RESPONSE at each traversal. 
Which to me seems like a lot of overhead. If someone could point me to where
Zope keeps user state (I believe with a cookie on the user's browser, 
but where in the source does Zope set this cookie up?), 
I could simply re-write that cookie with the new User ID ... Just a
thought of a simple and elegant solution (aka 'magic bullet') for my problem.

Vio

> 
> jens
> 
> 
> On Monday, January 21, 2002, at 12:35 , vio wrote:
> 
> > Hi,
> > Does anybody know what is the method call to modify the 
> > AUTHENTICATED_USER attribute? I am unable to trace where REQUEST feeds 
> > data for its AUTHENTICATED_USER attribute.
> >
> > Some context to my question: I am using a custom method to authenticate 
> > users coming to my site. So when the user logs in, he is 'Anonymous User'
> >  (from call: AUTHENTICATED_USER.getUserName()). But after his login name 
> > and password checked ok, how do I switch his identity in Zope from 
> > 'Anonymous User' to his/her new identity?  What I am looking for is that 
> > next time I call 'REQUEST.AUTHENTICATED_USER.getUserName()' to get the 
> > new UserName he just logged in as, not 'Anonymous User' again.
> >
> > Examining CookieCrumbler.py source, this authentication product uses the 
> > 'before_publishing_traverse hook' mechanism. But isn't there a simpler 
> > way to do this than modifying REQUEST.RESPONSE at each traversal? Sounds 
> > like a lot of overhead.
> >
> > Vio
> >
> >