Zope 2

[DM] Post authentication hook

Bug #374723 reported by Andreas Jung
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope 2
Invalid
Wishlist
Unassigned

Bug Description

2. Introduction

Sometimes, it is useful to check non standard web access permissions at a central place. We use this e.g. in "iDesk" to check license validity on any access to an "iDesk" product -- whether directly to the product itself or to an arbitrary resource inside the product. Another use case it to prevent web access to subhierarchies under some conditions -- e.g. to Redaktionsportal from the external internet.

3. Feature

Check at the end of ZPublisher traversal whether there is a post_authentication_hook acquirable from the published object. In this case, call this object with the parameters request and user.

4. Example Use Cases

    *

      Products.HR.HRProducts.Product defines the method post_authentication_hook
          o to perform license checks
    *

      An appropriate post_authentication_hook in /Redaktionsportal could
          o

            prevent general internet access to Redaktionsportal

5. Notes

    * The feature is unsafe in environments where users can create
          o objects with arbitrary ids as then the protection can be locally disabled by creating an

            object with id post_authentication_hook.
    * This feature is likely to break for the non acquisition aware
          o Zope 3 views. Looks like we must use something else (and implement the iDesk license checks differently).
    *

      ZPublisher implements a similar feature post_traverse.
          o

            It can be used to partially emulate the post_authentication_hook feature. post_traverse has some disadvantages:
                + the hooks need to be dynamically added on each request.
                      # This makes its use for our use cases more difficult.
                + several post traverse hooks may interfere with one another.
                      #

                        This may prevent a reliable emulation of the post_authentication_hook feature.
    * Similar functionality might be implemented with an event and
          o local subscriptions. I am unsure about the precise semantics of local subscriptions. Only if subscriptions deeper in the hierarchy can hide corresponding subscriptions higher up, this functionality could be used

            to implement post_authentication_hook. However, this is unlikely. In any case, this approach would lead to a considerably more complex implementation in applications using this features.

Revision history for this message
Andreas Jung (ajung) wrote :
Hanno Schlichting (hannosch)
Changed in zope2:
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.

Changed in zope2:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.