Protecting views to allow anonymous access only
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
Protecting views to allow anonymous access only
by Andreas Kaiser-3
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Hello cavemen! I'm in the progress of developing my first Grok application, so please be patient with me and my maybe stupid questions. Right now I'm stuck with this… I need to protect a view, so that it can be accessed *only* by anonymous users. I know: ~ - how to protect a view with e.g. ~ grok.require('my.CustomPermission') ~ - how to create a custom role ~ - how to gather permissions in this role I don't know: ~ - how to grant my role to the anonymous user Any pointers would be appreciated. TIA, Andreas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIiFfC/IUfrcGW134RAo2pAKCfLvLhH8vvYV6SBDbHa9gzwvyj/gCgqsvs FNzaYmPTQIDa5WVx3IPcKjY= =8ob1 -----END PGP SIGNATURE----- _______________________________________________ Grok-dev mailing list Grok-dev@... http://mail.zope.org/mailman/listinfo/grok-dev |
|
|
Re: Protecting views to allow anonymous access only
by Martijn Faassen-2
::
Rate this Message:
Hey Andreas,
I was away for a couple of days so this one got stuck in the mail queue for a while, sorry for the delay! [Are other people actually monitoring the mail queue? We set up quite a few people to do it, but I'm not sure whether it's being done actively. If you want to volunteer to make sure non-spam new postings get approved quickly, please drop me a mail] Andreas Kaiser wrote: > I'm in the progress of developing my first Grok application, so please > be patient with me and my maybe stupid questions. > > Right now I'm stuck with this… > > I need to protect a view, so that it can be accessed *only* by > anonymous users. > > I know: > > ~ - how to protect a view with e.g. > ~ grok.require('my.CustomPermission') > > ~ - how to create a custom role > > ~ - how to gather permissions in this role > > I don't know: > > ~ - how to grant my role to the anonymous user > > Any pointers would be appreciated. Hm, interesting question to which I can't answer directly. I'm not sure whether anonymous permission checks don't undergo some shortcut whereby this strategy can fail, but some possible hints: request.principal.id gives you the permission id, so you should be able to figure out what the id for anonymous is. I think it's going to be 'zope.unknown'. You might be able to use IPrincipalRoleMap on your content object (perhaps the root of your application) to assign your role to zope.unknown. See zope.app.securitypolicy.interfaces for more information. Other possible directions to take: It turns out you can apparently override what the IUnauthenticatedPrincipal object will be by supplying the right utility. See zope.app.security.globalprincipals.txt. Probably not needed. More interesting bits in zope.app.security.globalprincipals.txt: You can apparently create an unauthenticated group in ZCML (perhaps it's already created in the standard startup profile of Grok - not sure). You could then, I think, assign your role to this group, using IPrincipalRoleMap again (the group id zope.unknowngroup should be the principal id). Regards, Martijn _______________________________________________ Grok-dev mailing list Grok-dev@... http://mail.zope.org/mailman/listinfo/grok-dev |
|
|
Re: Protecting views to allow anonymous access only
by Philipp von Weitershausen
::
Rate this Message:
Andreas Kaiser wrote:
> I'm in the progress of developing my first Grok application, so please > be patient with me and my maybe stupid questions. > > Right now I'm stuck with this… > > I need to protect a view, so that it can be accessed *only* by > anonymous users. That's going to be hard to impossible to do with Zope's default security policy. > I know: > > ~ - how to protect a view with e.g. > ~ grok.require('my.CustomPermission') > > ~ - how to create a custom role > > ~ - how to gather permissions in this role > > I don't know: > > ~ - how to grant my role to the anonymous user Best done in site.zcml, which is generated out of your buildout.cfg. <grant role="..." principal="zope.anybody" /> You can also make local grants so that this grant is only active below a certain object 'obj': manager = IPrincipalRoleManager(obj) manager.assignRoleToPrincipal(role_id, principal_id) _______________________________________________ Grok-dev mailing list Grok-dev@... http://mail.zope.org/mailman/listinfo/grok-dev |
|
|
Re: Re: Protecting views to allow anonymous access only
by Bugzilla from dennis.noordsij@movial.fi
::
Rate this Message:
Philipp von Weitershausen schreef:
> Andreas Kaiser wrote: >> I'm in the progress of developing my first Grok application, so please >> be patient with me and my maybe stupid questions. >> >> Right now I'm stuck with this… >> >> I need to protect a view, so that it can be accessed *only* by >> anonymous users. > > That's going to be hard to impossible to do with Zope's default security > policy. Hi, You could do the following: In buildout.cfg, <unauthenticatedPrincipal id="zope.anybody" title="Anonymous user" /> <grant permission="mysite.Anonymous" principal="zope.anybody" /> Then you can protect a view with mysite.Anonymous and only not-logged-in users can access it. (I use it to add a "login", "register", etc viewlet to the default layout). Or am I missing the problem? Cheers, Dennis _______________________________________________ Grok-dev mailing list Grok-dev@... http://mail.zope.org/mailman/listinfo/grok-dev |
|
|
Re: Re: Protecting views to allow anonymous access only
by Andreas Kaiser-3
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Dennis Noordsij schrieb: | Philipp von Weitershausen schreef: |> Andreas Kaiser wrote: |>> I'm in the progress of developing my first Grok application, so please |>> be patient with me and my maybe stupid questions. |>> |>> Right now I'm stuck with this… |>> |>> I need to protect a view, so that it can be accessed *only* by |>> anonymous users. |> That's going to be hard to impossible to do with Zope's default security |> policy. | | You could do the following: | | In buildout.cfg, | | <unauthenticatedPrincipal id="zope.anybody" | title="Anonymous user" /> | | <grant permission="mysite.Anonymous" principal="zope.anybody" /> | | Then you can protect a view with mysite.Anonymous and only not-logged-in | users can access it. | | (I use it to add a "login", "register", etc viewlet to the default layout). | | Or am I missing the problem? No, this is *exactly* what I want to achieve. Thanks everyone for your suggestions, I'll try them ASAP. Andreas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIkZR6/IUfrcGW134RAonyAJ4rZPO5MTe6cLi+BJnuIG/WYCRtiwCeMR0S 2cZVOyo2aSYDTaX4NMKGPTA= =Qvsb -----END PGP SIGNATURE----- _______________________________________________ Grok-dev mailing list Grok-dev@... http://mail.zope.org/mailman/listinfo/grok-dev |
|
|
Re: Re: Protecting views to allow anonymous access only
by Philipp von Weitershausen
::
Rate this Message:
El 31 Jul 2008, a las 12:26 , Dennis Noordsij escribió:
> You could do the following: > > In buildout.cfg, > > <unauthenticatedPrincipal id="zope.anybody" > title="Anonymous user" /> > > <grant permission="mysite.Anonymous" principal="zope.anybody" /> > > Then you can protect a view with mysite.Anonymous and only not- > logged-in > users can access it. > > (I use it to add a "login", "register", etc viewlet to the default > layout). > > Or am I missing the problem? I suppose that would work, if you only assign the permission to the anonymous *principal*. Because zope.securitypolicy implicitly assigns the anonymous *role* to anybody. However, there's still one caveat. Manager roles, in other words, roles that were granted everything using <grantAll /> literally can do *everything*, without having any permission granted explicitly. So the above trick would allow the anonymous principal to carry out the task and nobody else except "managers" (for the lack of a better word). Managers would still be able to access the component no matter what. _______________________________________________ Grok-dev mailing list Grok-dev@... http://mail.zope.org/mailman/listinfo/grok-dev |
| Free Forum Powered by Nabble | Forum Help |