[Zope] User DB - accessing Authenticated User in Python - and the Zope Mailing list

Paul Gresham gresham@traderisk.com
Wed, 3 Nov 1999 16:58:56 +0800


Hi,
At MediaVisual Hong Kong we are looking to do a lot of the things that are
available on the Zope web site, relating to the subscriber database,
although the site we are building is a lesiure/lifestyle site for young
asian's. Can you please help me with a few queries. The first is simple.

Is the Zope Mailing list handled by Zope, or another package ?  As we would
like similar functionality.

The second is relating to the UserDB. I never found any real good docs on
it, but managed to get it all working, against MySQL. However I have found
that if I log on as a subscriber, then go to the /manage section, I am able
to change some, but not all things across the entire site!!  I am also able
to cut and paste most objects, although I cannot delete. Can anyone give me
some pointers on what to look for. I have also found that if I know the URL
to call a function and update a user, I can pass my own parameter across and
change almost any existing users password etc.

Lastly, I cannot quite figure out how to get the authenticated user inside
Python, if I can get this, then my python code can stop the above problem
should a user construct their own URL to change a password. Is this a
sensible way forward, it seems that I need to authenticate at the Python
level, as the data and methods are stored externally to Zope. Any user which
has access to the function can construct a URL which will perform an update
regardless of user, once we are in the UserDB Python code.

Thanks for any help you can give
Paul