[Zope] Problem with AUTHENTICATED_USER.has_role('X')"

Andrew Veitch andrew@logicalprogression.net
Fri, 13 Dec 2002 00:38:25 +0000


It's better to do:

<dtml-if "_.SecurityGetUser().has_role('Manager')">

REQUEST.AUTHENTICATED_USER can be less secure.

I don't understand the other bit of your problem I'm afraid. Have you tried
with another browser?

I've found that cookie based authentication (I use CookieCrumbler) is far
nicer for the user, especially for things such as logging out. Something to
consider.

A

On 12/12/02 2:34 pm, "complaw@hal-pc.org" <complaw@hal-pc.org> wrote:

> I'm stumped.
> 
> I have a block of dtml code in my standard_html_header file that is supposed
> to
> tailor the menu line depending upon the user's role (once authenticated).  For
> example, the standard_html_header file contains something like:
> 
> <dtml-if "AUTHENTICATED_USER.has_role('Manager')">
> ... make a (more extensive) menu line
> <dtml-else>
> ... make a menu line for non-authenticated users
> </dtml-if>
> 
> I have a login menu item for the non-authenticated users, giving them an
> opportunity to authenticate.  The authentication scheme calls a DTML Method
> (named "logger") that has security settings such that the challenge/response
> routine is initiated.  Once the user is able to run logger, it takes them back
> to the index_html file (with the standard_html_header file mentioned above).
> When comming from the logger object, the menu is constructed correctly
> (according to the user's role).  However, when coming back to index_html from
> somewhere else (say another folder), it goes back to the non-authenticated
> menu
> as if I never logged in (i.e., the code of the AUTHENTICATED_USER has somehow
> changed or is being ignored).  Note, when I click on the login menu button
> (calling the logger object, I immediately get the correct menu (without the
> challenge/response).
> 
> Is there something to remedy this problem?
> 
> TIA,
> 
> Ron
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )