[Zope] newbie auth advice.

Jim Penny jpenny@universal-fasteners.com
Thu, 20 Jun 2002 14:50:26 -0400


On Thu, Jun 20, 2002 at 01:51:15PM -0400, Nathan Valentine wrote:
> 
> This is probably a newbie question but I have read lots of docs and the
> Spicklemire book and I'm still not sure where to start...
> 
> I am working on a site for several clients and I would like for
> clients/users to login with:
> 
> - username
> - password 
> - client company name
> 
> Those three pieces of login information will then be used to determine
> what information a user sees on their default page and where they can go
> on the site. I'm not sure if I should be looking at LoginManager,
> exUserFolder, SimpleUserFolder, CoreSessionTracking, or possibly even
> CMF. Most of the site content will be pulled from a Postgres database. 
> 
> I would appreciate advice from experienced Zopers. I would like to take
> whatever path is simplest and also likely to be supported in later
> versions of Zope. I get the feeling that there are many ways to do what
> I am trying to accomplish...perhaps too many and that is why I am
> confused. 
> 
> Thanks. :)
> 
> -- 
> ---
> Nathan Valentine - nathan@nathanvalentine.org
> Jabber: NRVesKY AIM: NRVesKY ICQ: 39023424


OK:

here is the $64,000 question.  Say you have users from BigCo.  Who will
be administering these users.  Are you going to do it?  If so, I would
strongly consider exUserFolder.

Does a untrusted administrator at BigCo administer their users?  Or worse,
does BigCo make all or part of their content available to LittleCo?
Do alliances shift like Afghani politics?  In that case, none of the
stock folders will do it for you.

I wrote, and have mostly working, a user folder to deal with such
conditions.  It is known working with zope2.5, but could be improved,
and delegated administration is only lightly tested.  (Actually, there
are two kinds of delegated administration:  the more powerful delegated
administration allows such administrators to grant "any content" accounts,
but only for certain roles.  This is fairly thoroughly tested.  The less
powerful administrators, who may work with only some "companies" and
only some roles are less well tested.)

This user folder will be updated through the 2.x series (x>=3).
I need it.  I will need something like it for the 3.x series, but as
user folder issues in 3.x appear to be somewhat up in the air, I make
no guarantee now.  I certainly will need something like it then, as well.

I have never made any effort to release this user folder.  I have seen
only one other person ever discuss the need for such.  If there is
interest,  I think I would have no trouble getting permission to release.

But, there is significant risk of "user folder lock-in".  It does things
in ways that no other folder does, presents a slightly different API.
So, consider wisely, grasshopper.

Jim Penny 
YKK Universal Fasteners Inc