You're gonna laugh. Get ready.
You didn't protect the isMember document. It's viewable by Anonymous. The
Zope security machinery short-circuits authentication for resources that
don't require it. This means that when you view a resource that's
unprotected, you view it "as Anonymous". Anonymous doesn't have the Member
role, so you see "You are NOT a Member" when you view /isMember.
I don't particularly like this behavior, but it seems not to bother anyone
else. I think it should authorize you and set AUTHENTICATED_USER if you
pass in auth info regardless of the protection on the resource you're trying
to view.
----- Original Message -----
From: "Ron Bickers" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 11, 2001 5:01 PM
Subject: [Zope] hasRole bug or feature in 2.2.?
> I'm having a problem with AUTHENTICATED_USER.hasRole()
>
> I have a user with the role 'Member' defined at the root level (and
nowhere
> else). I also have the following DTML method at the root level:
>
> <dtml-if "REQUEST['AUTHENTICATED_USER'].hasRole(PARENTS[-1],
['Member'])">
> You are a Member.
> <dtml-else>
> Your are NOT a Member.
> </dtml-if>
>
> When I first request the protected document /Bogus/membersonly, I'm
prompted
> to log in. When I do, I get access to the /Bogus/membersonly document.
> Then when I request /Bogus/isMember, it says I am a Member. However, when
I
> request /isMember, it says I am NOT a Member. Anywhere I request
isMember,
> other than in the /Bogus folder, I am NOT a Member, even though the user
is
> defined at the root level with the Member role.
>
> If I then request a protected document /membersonly, it shows me the
> document without prompt. After I do that, when I request /isMember or
> /AnyFolder/isMember, it now tells me I am a Member.
>
> Why does it not recognize that I'm a user with the Member role anywhere on
> the site until I access a protected document at the root level? Is this
by
> design or a bug? If by design, what's the reasoning?
>
> Thanks!
> _______________________
>
> Ron Bickers
> Logic Etc, Inc.
> [EMAIL PROTECTED]
>
>
> _______________________________________________
> Zope maillist - [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>
>
_______________________________________________
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
