[Zope] Re: LDAPUserFolder

Jens Vagelpohl jens@zope.com
Sun, 12 May 2002 20:14:32 -0400


as far as the Authenticated role goes, it is never something you should 
assign programmatically in your own code. Authenticated is a role that 
generically says "this user is not just anonymous", and that's all. it is 
not supposed to be assigned by third-party code. i won't put any code into 
my products that allows the user to do so, either.

what is the problem with using the standard zope mechanisms? creating a 
specific role in zope and maybe mapping some LDAP group to it should do 
the job.

jens


On Sunday, May 12, 2002, at 04:59 , Dirk Datzert wrote:

> Hi Jens,
>
> I thought today about group to role mapping and the zope roles
> Anonymous and Authenticated.
>
> Am I right that Authenticated will be assigned if an user successfully
> validates against the LDAP server ?
>
> Do you think it is possible in LDAPUserFolder / LDAPRoleTwiddler to
> assign
> Authenticated only if an user is a member of a special LDAP group ?
>
> I came about this point while I develop our intranet with EasyPublisher
> which
> has the 4 standard zope roles + 2 roles for workflow and content
> management:
>
> Anonymous, Authenticated, Manager, Owner + Author & Reviewer
>
> If I want to restrict visitors on a special folder to view only public
> material this will be done via standard zope mechanism.
>
> If I want to allow a special group on authenticated users to access
> non public material I have a problem:
>
> I want to use standard zope mechanism (like skip_unauthorized).
> Authenticated users will get the role Authenticated.
> I can't differ between Authenticated users which have the rights
> to access the material an Authenticated users which aren't allowed
> to view the material.
>
> One qway out would be the definition of a new role, name it 'Viewer'.
> But then I have to programm special Role behaviour like
> <dtml-if AUTHENTICATED_USER.has_role('Viewer')>
> ...
> </dtml-if>
>
> If I could use the skip_unauthorized feature this would be more general.
>
> A possibility to say in LDAPRoleTwiddler something like:
> If not member of LDAP-group x than not role y.
>
> Can you give me your point of view ?
>
> Regards,
> Dirk