How to differentiate between plone users and zope users programatically

I'm very new to plone, I'm working on a bug in the plone addon ECQuiz, the gist of what's happening is it's supposed to do something (create a content object in the quiz folder) when someone with particular (plone) permission visits a particular view of this folder. the problem is not only does it do this when plone users with this permission visit this view, it also does this when the zope administrator (who apparently has all permissions) visits this view as well; how do I tell a zope user different to a plone user in plone?

IINM once you grab the user object you can check its containers. If its acl_users's getPhysicalPath() doesn't include your site id, it probably means it's coming from one level above, that is, the Zope application root.

2 Likes

Let me twist the question a bit. Why is someone logged in at the Zope root routinely visiting parts of your site? Reserve that login for the highest level administration, like creating new Plone sites.

3 Likes

In general true but regarding the plone.api.user implementation: there is/was a bug where plone.api.user behaved differently for Managers defined on the Plone and on the Zope root level.

-aj

1 Like

@davilima6 I'll look into these, thanks!

@smcmahon that's exactly what my boss said, but as we are also the maintainers of the project that makes it an issue that we need to deal with.

@zopyx thank you for that bit of insight.

Please be aware that Zope User authentication happens via basic auth, that means, the password is base64 encoded (which means cleartext) in each request you send over the internet.
It makes a lot of sense to not use Zope users at all but to create admin users within Plone and use them.
Given this, I wouldn't give a lot of priority to make something compatible with the simplistic Zope Users.

2 Likes

ahhh... thank you for this.