You are not logged in Log in Join
You are here: Home » Members » jim » ZopeSecurity » Watermarking
Log in
Name

Password

 
Link icon Forgot your password?
 
Print

History for Watermarking

??changed:
-
Note -- This will go away in Zope 2.2. It is made unecessary
    by the new security !APIs described in
    InterfacesWiki:SecurityPolicies

Starting in Zope 2.1.6, a watermark is placed in
user objects when they are authenticated. Currently, this
is done by the Zope publisher, ZPublisher.

When a user is authenticated, the attribute '_v__marker__'
is set to a special value.  This mark cannot be set
by DTML (or ThroughTheWeb, TTW) programs, so the user
cannot be faked using TTW programs.

Python code, such as code in DTML methods is about to use the 
[AUTHENTICATED_USER] for security-related tasks, 
it checks the watermark by calling
'AccessControl.verify_watermark' and passing the user.

  Zen -- This seems cumbersome. Could we just have a method of retrieving AUTHENTICATED_USER which raises an Exception if AccessControl.verify_watermark fails? It would be nice if accessing REQUEST.AUTHENTICATED_USER did this. Or was this the behaviour in 2.1.5 that prompted the quick release of 2.1.6?

    Jim -- Do you still need access to AUTHENTICATED_USER, 
       in light of the new proposed ZopeSecurityPolicies?

       If so, then there should probably be a method in 
       SecurityManager to get the AUTHENTICATED_USER.


Note that the use of an attribute and the name chosen should
currently be viewed as an implementation detail that may 
change. We may need to define an interface on user objects
to support watermarking.
Copyright (c) 2011 Zope Foundation. All rights reserved. Legal | Contact
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)