You're gonna laugh. Get ready.
You didn't protect the isMember document. It's viewable by Anonymous. The
Zope security machinery short-circuits authentication for resources that
don't require it. This means that when you view a resource that's
unprotected, you view it "as Anonymous". Anonymous doesn't have the Member
role, so you see "You are NOT a Member" when you view /isMember.
I don't particularly like this behavior, but it seems not to bother anyone
else. I think it should authorize you and set AUTHENTICATED_USER if you
pass in auth info regardless of the protection on the resource you're trying
----- Original Message -----
From: "Ron Bickers" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 11, 2001 5:01 PM
Subject: [Zope] hasRole bug or feature in 2.2.?
> I'm having a problem with AUTHENTICATED_USER.hasRole()
> I have a user with the role 'Member' defined at the root level (and
> else). I also have the following DTML method at the root level:
> <dtml-if "REQUEST['AUTHENTICATED_USER'].hasRole(PARENTS[-1],
> You are a Member.
> Your are NOT a Member.
> When I first request the protected document /Bogus/membersonly, I'm
> to log in. When I do, I get access to the /Bogus/membersonly document.
> Then when I request /Bogus/isMember, it says I am a Member. However, when
> request /isMember, it says I am NOT a Member. Anywhere I request
> other than in the /Bogus folder, I am NOT a Member, even though the user
> defined at the root level with the Member role.
> If I then request a protected document /membersonly, it shows me the
> document without prompt. After I do that, when I request /isMember or
> /AnyFolder/isMember, it now tells me I am a Member.
> Why does it not recognize that I'm a user with the Member role anywhere on
> the site until I access a protected document at the root level? Is this
> design or a bug? If by design, what's the reasoning?
> Ron Bickers
> Logic Etc, Inc.
> [EMAIL PROTECTED]
> Zope maillist - [EMAIL PROTECTED]
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-dev )
Zope maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -