I'd like to limit a view in the Plone site root for logged in members only.
Which permission I should check?
For the clarification I'd like to use this permission as Zope 3 view config and have something which works by default. I don't want to create and assign a permission to Authenticated myself if I can avoid the situation.
There is no "authenticated" permission, all permissions are for specific actions only and if an authenticated user needs to be able to execute that action then you should assign the corresponding permission to the 'Authenticated' role.
To get a quick list of (Zope2 string-based) permissions for the 'Authenticated' role, use the following ZMI view:
http://localhost:8080/Plone/manage_roleForm?role_to_manage=Authenticated
where I assume you run your site on port 8080 and you named the Plone object Plone. It shows all permissions in a multi-select list with those currently assigned activated.
On a default site, this list is pretty meagre, only Set own password, Set own properties and Use external editor are assigned. For the first two, Zope3 equivalents are defined in Products.CMFCore; they are cmf.SetOwnPassword, and cmf.SetOwnProperties; the third one doesn't have a Zope3 equivalent at the moment, but would be easy to define, just add this to a ZCML file somewhere:
<permission
id="plone.UseExternalEditor"
title="Use external editor"
/>
Zope3 permissions are simply aliases for their Zope2 counterparts using valid python ids.
I really do not know what you want to do with your view, but your best bet is to either find an appropriate permission and assign it to the 'Authenticated' role, or create a new permission.
The latter is really easy, actually.
Say I want to create a 'Access foo bar' permission, I'd simply register it directly with a Zope3 identifier in a ZCML file:
<permission
id="foobar.AccessFooBar"
title="Access foo bar"
/>
That's all there is to it; the "Access foo bar" permission will now be visible in the ZMI.
If you want to give this permission to specific roles by default, list them as contained elements:
<permission
id="foobar.AccessFooBar"
title="Access foo bar">
<role name="Authenticated" />
</permission>
This only works for 'global' roles (defined at the Zope root), such as 'Manager', 'Anonymous' and 'Authenticated'.
Optionally, list it in a GenericSetup profile using the rolemap.xml file to assign this new permission to the Authenticated role:
<?xml version="1.0"?>
<rolemap>
<permissions>
<permission name="Access foo bar" acquire="False">
<role name="Authenticated"/>
</permission>
</permissions>
</rolemap>
You'll need to use the latter only if you want to assign permissions defined at the Plone level, such as 'Site Administrator' or 'Editor'.
In a stock Plone authenticated but not anonymous users may change their own password. You can use that permission. It is called:
cmf.SetOwnPassword
Related
I'm doing a project with Symfony2 and I want to use Google/Facebook/Twitter for connection. So I installed HWIOAuthBundle, but I got this error when I update my composer.json
"The child node "firewall_name" at path "hwi_oauth" must be
configured.".
Thanks for you help !
Yes, and if you read the doc :
(it gives the config... )
Step 2: Configuring resource owners
HWIOAuthBundle creates a dedicated service for each resource owner you
want to use in your application. These resource owners will be used in
the oauth firewall. The bundle ships several pre-configured resource
owners that need only a little configuration.
To make this bundle work you need to add the following to your
app/config/config.yml:
app/config/config.yml
hwi_oauth:
# name of the firewall in which this bundle is active, this setting MUST be set
firewall_name: secured_area
# an optional setting to configure a query string parameter which can be used to redirect
# the user after authentication, e.g. /connect/facebook?_destination=/my/destination will
# redirect the user to /my/destination after facebook authenticates them. If this is not
# set then the user will be redirected to the original resource that they requested, or
# the base address if no resource was requested. This is similar to the behaviour of
# [target_path_parameter for form login](http://symfony.com/doc/2.0/cookbook/security/form_login.html).
# target_path_parameter: _destination
I'm trying to do a web application in which the user creates a account in the /extranet domain and its disabled initially.
When the sitecore admin enables the user account an function should be triggered so that a mail can be sent to the user, But i'm not finding any solution to trigger the code.
This is the code i have used to create the user in /extranet
Membership.CreateUser(mailId, password, mailId, "question", "answer", false, out status);
Well, there's a command that gets executed (<command name="usermanager:enable" type="Sitecore.Shell.Framework.Commands.UserManager.Enable,Sitecore.Kernel"/>) - which you can find in the Commands.config file in the App_Config folder - when you click on the Enable button, so you could override that with your own code (don't forget to also run that Enable functionality of course.
Please refer:
http://techmusingz.wordpress.com/2014/06/15/notify-sitecore-user-on-account-enable/
for a complete example of overriding the corresponding command.
You will need to replace
<command name="usermanager:enable" type="Sitecore.Shell.Framework.Commands.UserManager.Enable,Sitecore.Kernel"/>
with <command name="usermanager:enable" type="Sitecore72.Classes.EnableUserNotify, Sitecore72"/>
You could use the reflected code from Sitecore.Kernel.dll, and append your logic for notification in the Run method - where args.IsPostBack is true, after the user profile has been updated (user.IsApproved = true;)
This would enable you to retain the message boxes as implemented by sitecore and add the custom functionality you need as well.
I am trying to find the home directory of users on a UNIX (Solaris/AIX) box using
echo ~username
This does return the home directory for all valid users. For some reason this command also outputs home directory which are non-existent for few users who seem not to have logon access to that server.
For eg. the above command would return below for a non-existent user -
/home/username
What I expected was
~username
as output for a user with no access and that does happen with certain usernames.
This makes me think what could be causing a difference between different users who do not have access to this server. Has this something to do with LDAP?
Nothing I can find in /etc/passwd too.
getent and finger commands were outputting a default home directory for a non-existent user (not retrieved using ldaplist) because the requests were handled through an intermediate access control mechanism such as Cisco SA Control for role based access control.
I'm trying to allow Anonymous users to search for plone Members. I got it to work setting the Anonymous role to have "Manage Users" permission, which is not appropriate, of course. Is there a more specific permission for this? "List portal members" didn't work. I need to allow anonymous search because our intranet users generally don't authenticate. Our plone members come from LDAP with custom fields (telephone, location, register). This was done with plone.app.ldap. I'm using Plone-4.0 and PlonePAS-4.0.1-py2.6
This is what triggers some exception and open the login_form for the anonymous users
member_search_results.pt
<metal:main fill-slot="main"
tal:define="search_view here/##pas_search;
listing_allowed python: checkPermission('List portal members', here);
results python:listing_allowed and search_view.searchUsersByRequest(request, sort_by='fullname') or [];
If I set the listing_allowed to False, the template is rendered normally, informing the user that it couldn't do the search, because it has no permission. But if the listing_allowed is True, it goes to searchUsersByRequest returning the login_form.
Already look at the PlonePAS configure.zcml to see the permissions, but there's nothing wrong there too. Tried to change the permission to zope2.Public and zope.Public, but no success
<browser:page
for="*"
name="pas_search"
class=".search.PASSearchView"
permission="zope2.View"
allowed_interface="Products.PlonePAS.interfaces.browser.IPASSearchView"/>
Any help is appreciated.
Thanks!
You will probably be better off using https://pypi.python.org/pypi/Products.remember/1.9.2 as it gives all members content objects that should be searchable.
Otherwise, you might have to implement your own view that does the search and bypasses security considerations on poking around about users.
I've set up two ASP.NET applications on a machine, their web.config files contain the same applicationName value in AspNetSqlMembershipProvider item so they share users and roles.
The problem sequence is:
user logs into application A,
opens new tab in a browser
logs into application B,
his login in application A is signed out
and vice versa.
Should I use a different approach to sharing login information between two applications?
The problem you have is because the same cookie used, for authenticate the 2 different logins.
The solution from what I understand is to give different cookie name on the different logins, so the one cookie, not overwrite the other one.
Probably the solution is on web.config.
On Config
Change the name value, to something different on your 2 apps, if you have the same domain and run on different directory/apps, or change also the domain value that used also to keep the cookie.
<authentication mode="Forms">
<forms name=".CookieSuffix" domain="yoururl.com" ... />
</authentication>
For example, on the 2 diferent web.config on your apps, place
on app 1: name=".app1"
on app 2: name=".app2"
Or
on app 1: domain="app1.yoururl.com"
on app 2: domain="app2.yoururl.com"
if you separate your apps, base on url, or even try some similar aproces.
The cookie is keep, using the cookie name on the domain name, so this is the 2 values that you must try to seperate them.
Details on Form setup can be found here:
http://msdn.microsoft.com/en-us/library/aa480476.aspx
Manual login
If you have the oportunity to make manual login the solution is on this function
FormsAuthentication.GetAuthCookie(cUserName, false, "cookiePath");
FormsAuthentication.SetAuthCookie(cUserName, false, "cookiePath");
You only need to use a diferent cookiePath, but, you must change many points on your program, and capture the process login, logout and Authenticate.
Hope this help you.
You should check out this tutorial.
Scroll down to the section titled Partitioning the User Store Into Applications. It says there that you can use the same user store for multiple applications.