Chris Withers wrote:
> How come getSecurityManager().getUser() returns the Anonymous User in 
> access rules? Surely some checks must have been done to see whether the 
> folder containing the access rule can be traversed to?
> If not, then huh? I'm confused :-(

Access Rules trigger during publishing traversal, and authentication 
isn't performed until publishing traversal is complete.  Until traversal 
is complete, Zope can't know which containers to check for User Folders.

Also, publishing traversal only checks __roles__ on the last object in 
the traversal.  This is very different than unrestrictedTraverse(), for 
instance, which checks permissions at every traversal step.  This means 
that you can set security in a way that allows a user to access an 
object via ZPublisher that they could not access programmatically.


Evan @ 4-am

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to