> > A user that does not log in, i.e. a user you know nothing of,
> > gets the "Anonymous" role automatically (at least with "acl_users").
> > A logged in user may not get the "Anonymous" role.
> > 
> > This does not provide additional security, because this
> > user may simply shut down his browser and access the page again
> > as anonymous user.
> > On the other hand, it may result in surprises: suddenly (after
> > a log on) I can no longer do things that I was able to do
> > before the log on.
> > 
> > I think, this should be changed.
> I agree, and I've said so, many times before ;-)
> Chris

Guys - 

I'm looking at the security code, and the intent is 
that if 'Anonymous' is in the roles required to access 
an object, the user is allowed (even though he may not 
have been given the 'Anonymous' role explicitly).

This appears to be the case both in 2.1.x and the new 
2.2.x security policy - I've been trying to replicate 
the problem you are referring to but I must be missing 
something. My test case was:

  o create a user 'test', giving him only 'test_role'

  o create a dtml document object with default security
    (anonymous has 'View' permission)

  o give users with 'test_role' 'View mgmt screens' on 
    the dtml document.

  o in a new browser, visit doc/manage to force login
    as 'test' with 'test_role'

  o try to view the doc normally ('View' is only given 
    to anonymous), which works as expected

Can you give me a scenario that shows the problem so 
that I can reproduce it? (walk me through what objects 
to create, what permissions to give, how to try to 
access them). This should be done with standard built-in 
User/UserFolders if possible.


Brian Lloyd        [EMAIL PROTECTED]
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com 

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to