[Zope] Post authentication hook and anonymous users

Cyrille Bonnet cyrille at 3months.com
Wed Mar 2 17:29:50 EST 2005


Hi Zope people,

I have been using Dieter Maurer's Post authentication hook quite 
successfully to restrict access to a folder for a group of users.

Now, my problem is that Post authentication hook is only called... for 
authenticated users (as its name implies).

That's a problem for me, because anonymous users that can guess a URL 
could access private areas that I have set up.

(BTW, I am aware that I could restrict the access by changing the "View" 
permission in the "Security" tab and remove "Acquired", but that's not 
good enough: it then shows all documents to authorized users, regardless 
of their worflow state).

Anyway, I am thinking of adding an unvalidated_hook call in 
ZPublisher/BaseRequest.py, something like:

         if user is not None:
             if validated_hook is not None: validated_hook(self, user)
             request['AUTHENTICATED_USER']=user
             request['AUTHENTICATION_PATH']='/'.join(steps[:-i])
         else:
             unvalidated_hook(request)

And then in unvalidated_hook, I would dynamically check if anonymous 
users can access the current folder.

Am I on the right tracks or is there a built-in functionality in Zope to 
accomplish what I am trying to do??

Advice and pointers are welcome.

Cheers

Cyrille



More information about the Zope mailing list