[Zope] cookie Crumbler problem
Chris Withers
lists at simplistix.co.uk
Fri Mar 26 05:53:15 EST 2004
Joshua Newman wrote:
> Code for form: (in html without the end brackets)
(when you're posting in plain text, it's fine to put in real html ;-)
> input name="prop" type="hidden" value="<dtml-var prop>"
> textarea name="propval" rows="15" cols="65" wrap="hard"
> /textarea
> if ( context.index_html.hasProperty(REQUEST['prop']) ):
> context.index_html.manage_changeProperties({ REQUEST['prop'] : propval })
> else:
> context.index_html.manage_addProperty(REQUEST['prop'], propval, 'text')
oh how many times I've wishes for an "addOrChangeProperties" method ;-)
> What's interesting is that it works when a user is already
> authenticated and makes it to the edit form. It fails only when the
> form is arrived at by an anonymous user and has to authenticate in the
> middle of the form submission when the python script requires
> privileges in order to change properties.
Bingo :-) Of course that'll happen thinking about it. Cookie auth involved http
redirects, which means different requests. the solution is to make your form
only viewable by authenticated people :-)
> I'm using Cookie crumbler (newest version). And I've tried making the
> individual pages secured but the same problem occurs. When the form
> is secured it disables the passed variables needed to use the form.
Then you need to make whatever passes those variable not anonymously viewable as
well. Either that, or store stuff in the SESSION instead of the REQUEST, since
that'll last through redirects.
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope
mailing list