You're gonna laugh.  Get ready.

You didn't protect the isMember document.  It's viewable by Anonymous.  The
Zope security machinery short-circuits authentication for resources that
don't require it.  This means that when you view a resource that's
unprotected, you view it "as Anonymous".  Anonymous doesn't have the Member
role, so you see "You are NOT a Member" when you view /isMember.

I don't particularly like this behavior, but it seems not to bother anyone
else.  I think it should authorize you and set AUTHENTICATED_USER if you
pass in auth info regardless of the protection on the resource you're trying
to view.

----- Original Message -----
From: "Ron Bickers" <[EMAIL PROTECTED]>
Sent: Thursday, January 11, 2001 5:01 PM
Subject: [Zope] hasRole bug or feature in 2.2.?

> I'm having a problem with AUTHENTICATED_USER.hasRole()
> I have a user with the role 'Member' defined at the root level (and
> else).  I also have the following DTML method at the root level:
>   <dtml-if "REQUEST['AUTHENTICATED_USER'].hasRole(PARENTS[-1],
>   You are a Member.
>   <dtml-else>
>   Your are NOT a Member.
>   </dtml-if>
> When I first request the protected document /Bogus/membersonly, I'm
> to log in.  When I do, I get access to the /Bogus/membersonly document.
> Then when I request /Bogus/isMember, it says I am a Member.  However, when
> request /isMember, it says I am NOT a Member.  Anywhere I request
> other than in the /Bogus folder, I am NOT a Member, even though the user
> defined at the root level with the Member role.
> If I then request a protected document /membersonly, it shows me the
> document without prompt.  After I do that, when I request /isMember or
> /AnyFolder/isMember, it now tells me I am a Member.
> Why does it not recognize that I'm a user with the Member role anywhere on
> the site until I access a protected document at the root level?  Is this
> design or a bug?  If by design, what's the reasoning?
> Thanks!
> _______________________
> Ron Bickers
> Logic Etc, Inc.
> _______________________________________________
> Zope maillist  -  [EMAIL PROTECTED]
> **   No cross posts or HTML encoding!  **
> (Related lists -
> )

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to