OK, I think I found the source code that is the culprit. From LiftServlet.scala:
http://github.com/dpp/liftweb/blob/master/framework/lift-base/lift-webkit/src/main/scala/net/liftweb/http/LiftServlet.scala private def authPassed_?(req: Req): Boolean = { val checkRoles: (Role, List[Role]) => Boolean = { case (resRole, roles) => (false /: roles)((l, r) => l || resRole.isChildOf(r.name)) } val role = NamedPF.applyBox(req, LiftRules.httpAuthProtectedResource.toList) role.map(_ match { case Full(r) => LiftRules.authentication.verified_?(req) match { case true => checkRoles(r, userRoles.get) case _ => false } case _ => true }) openOr true } This logic seems to be inconsistent with the documentation found in LiftRules.scala: http://github.com/dpp/liftweb/blob/master/framework/lift-base/lift-webkit/src/main/scala/net/liftweb/http/LiftRules.scala /** * Defines the resources that are protected by authentication and authorization. If this function * is notdefined for the input data, the resource is considered unprotected ergo no authentication * is performed. If this function is defined and returns a Full can, it means that this resource * is protected by authentication,and authenticated subjed must be assigned to the role returned by * this function or to a role that is child-of this role. If this function returns Empty it means that * this resource is protected by authentication but no authorization is performed meaning that roles are * not verified. */ val httpAuthProtectedResource = RulesSeq[HttpAuthProtectedResourcePF] Shouldn't there be something like: case Empty => LiftRules.authentication.verified_?(req) ? -- You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
