You are not logged in Log in Join
You are here: Home » Members » jim » ZopeSecurity » Watermarking
Log in
Name

Password

 
Link icon Forgot your password?
 
Print

Watermarking

Note
This will go away in Zope 2.2. It is made unecessary by the new security APIs described in InterfacesWiki:SecurityPolicies

Starting in Zope 2.1.6, a watermark is placed in user objects when they are authenticated. Currently, this is done by the Zope publisher, ZPublisher?.

When a user is authenticated, the attribute _v__marker__ is set to a special value. This mark cannot be set by DTML (or ThroughTheWeb?, TTW) programs, so the user cannot be faked using TTW programs.

Python code, such as code in DTML methods is about to use the [AUTHENTICATED_USER]? for security-related tasks, it checks the watermark by calling AccessControl.verify_watermark and passing the user.

Zen
This seems cumbersome. Could we just have a method of retrieving AUTHENTICATED_USER which raises an Exception if AccessControl?.verify_watermark fails? It would be nice if accessing REQUEST.AUTHENTICATED_USER did this. Or was this the behaviour in 2.1.5 that prompted the quick release of 2.1.6?
Jim
Do you still need access to AUTHENTICATED_USER, in light of the new proposed ZopeSecurityPolicies?

If so, then there should probably be a method in SecurityManager to get the AUTHENTICATED_USER.

Note that the use of an attribute and the name chosen should currently be viewed as an implementation detail that may change. We may need to define an interface on user objects to support watermarking.
Copyright (c) 2011 Zope Foundation. All rights reserved. Legal | Contact
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)