Until Zope 2.8.3 it was possible to access to the name of the logged in user also in a public accessible method. A thing I used quite often is hiding links which were not accessible for an anonymous user but show them in case the user has authenticated itself somewhere else in the site:

<dtml-if "AUTHENTICATED_USER.has_role('Manager')">
| <a href="manage">Manage</a>

This no longer works in Zope 2.8.5 (2.8.4 is untested) and Zope 2.9.0.

AUTHENTICATED_USER or _.SecurityGetUser().getUserName() is set to "Anonymous User" as long as the method does not require a login. When a login is reqired, AUTHENTICATED_USER is filled correctly but a unpriviledged user is no longer able to access the document.

I'm not sure if I should see this as a bug or a feature and I was not able to find the change in a diff of the sources. Could you tell me more about this behavior?


     \|/                           Beat Rubischon <[EMAIL PROTECTED]>
   ( 0^0 )                             http://www.0x1b.ch/~beat/
Meine Erlebnisse, Gedanken und Traeume: http://www.0x1b.ch/blog/
Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to